open-dsi
/
postgres
mirror of https://github.com/postgres/postgres
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

PG-1229 Added a note about db operation during key rotation

Browse Source 
Added how to check WAL encryption
pull/209/head
Anastasia Alexadrova 10 months ago
parent fa7d9138a9
commit 32e5dc7004
1 changed files with 28 additions and 7 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 33
      documentation/docs/setup.md

33
documentation/docs/setup.md
Unescape View File

@ -90,11 +90,13 @@ Load the `pg_tde` at the start time. The extension requires additional shared me
## WAL encryption configuration (tech preview)
After you [enabled `pg_tde`](#enable-extension) and started the Percona Server for PostgreSQL, a principal key and a keyring for WAL encryption are created.
After you [enabled `pg_tde`](#enable-extension) and started the Percona Server for PostgreSQL, a principal key and internal keys for WAL encryption are created. They are stored in the data directory so that after WAL encryption is enabled, any process that requires access to WAL (a recovery or a checkpointer) can use them for decryption.
Now you need to instruct `pg_tde ` to encrypt WAL files by configuring WAL encryption. Here's how to do it:
1. Enable WAL level encryption using the `ALTER SYSTEM SET` command. You need the privileges of the superuser to run this command:
### Enable WAL level encryption
1. Use the `ALTER SYSTEM SET` command. You need the privileges of the superuser to run this command:
```sql
ALTER SYSTEM set pg_tde.wal_encrypt = on;
@ -114,11 +116,15 @@ Now you need to instruct `pg_tde ` to encrypt WAL files by configuring WAL encry
sudo systemctl restart postgresql-17
```
3. We highly recommend you to create your own keyring and rotate the principal key. This is because the default principal key is created from the local keyfile and is stored unencrypted.
On the server start
### Rotate the principal key
We highly recommend you to create your own keyring and rotate the principal key. This is because the default principal key is created from the local keyfile and is stored unencrypted.
Rotating the principal key means re-encrypting internal keys internal keys used for WAL encryption with the new principal key. This process doesn't break the encryption flow nor prevents reading encrypted WAL files. During the key rotation, PostgreSQL uses lock on WAL to ensure that data is reachable and accessible.
Rotating the principal key means re-encrypting internal keys used for WAL encryption with the new principal key. This process doesn't stop the database operation meaning that reads and writes can take place as usual during key rotation.
Set up the key provider for WAL encryption
1. Set up the key provider for WAL encryption
=== "With HashiCorp Vault"
@ -144,7 +150,7 @@ Now you need to instruct `pg_tde ` to encrypt WAL files by configuring WAL encry
SELECT pg_tde_add_key_provider_file('provider-name','/path/to/the/keyring/data.file');
```
4. Rotate the principal key. Don't forget to specify the `PG_TDE_GLOBAL` constant to rotate only the principal key for WAL.
2. Rotate the principal key. Don't forget to specify the `PG_TDE_GLOBAL` constant to rotate only the principal key for WAL.
```
SELECT pg_tde_rotate_principal_key('PG_TDE_GLOBAL', 'new-principal-key', 'provider-name');
@ -152,6 +158,21 @@ Now you need to instruct `pg_tde ` to encrypt WAL files by configuring WAL encry
Now all WAL files are encrypted for both encrypted and unencrypted tables.
3. Verify the encryption by checking the `pg_tde.wal_encrypt` GUC (Grand Unified Configuration) parameter as follows:
```
SELECT name, setting FROM pg_settings WHERE name = 'pg_tde.wal_encrypt';
```
??? example "Sample output"
```{.text .no-copy}
name | setting
--------------------+---------
pg_tde.wal_encrypt | on
```
## Next steps
[Test TDE](test.md){.md-button}

Write Preview
Loading…
Cancel
Save