diff --git a/contrib/pg_tde/README.md b/contrib/pg_tde/README.md index 3eca819a8c4..8d2eb914ce8 100644 --- a/contrib/pg_tde/README.md +++ b/contrib/pg_tde/README.md @@ -98,11 +98,11 @@ _See [Make Builds for Developers](https://github.com/percona/pg_tde/wiki/Make-bu ```sql ALTER SYSTEM SET shared_preload_libraries = 'pg_tde'; ``` - 2. Start or restart the `postgresql` instance to apply the changes. + 2. Start or restart the `postgresql` cluster to apply the changes. * On Debian and Ubuntu: ```sh - sudo systemctl restart postgresql.service + sudo systemctl restart postgresql-17 ``` * On RHEL 8 compatible OS (replace XX with your version): diff --git a/contrib/pg_tde/documentation/docs/functions.md b/contrib/pg_tde/documentation/docs/functions.md index e9859f6ec81..aa0c8520d4b 100644 --- a/contrib/pg_tde/documentation/docs/functions.md +++ b/contrib/pg_tde/documentation/docs/functions.md @@ -213,7 +213,7 @@ SELECT pg_tde_set_principal_key('name-of-the-principal-key','provider-name','ens * If set to `true` (default), a new key must be unique. If the provider already stores a key by that name, the function returns an error. -* If set to `false`, an existing principal key will be reused. +* If set to `false`, an existing principal key may be reused. ### pg_tde_set_server_principal_key @@ -227,14 +227,14 @@ The `ensure_new_key` parameter instructs the function how to handle a principal * If set to `true` (default), a new key must be unique. If the provider already stores a key by that name, the function returns an error. -* If set to `false`, an existing principal key will be reused. +* If set to `false`, an existing principal key may be reused. ### pg_tde_set_default_principal_key Creates or rotates the default principal key for the server using the specified key provider. -The default key is automatically used by any database that doesn't have a specific key created the first time an encrypted database object is created. +The default key is automatically used as a principal key by any database that doesn't have a specific principal key created the first time an encrypted database object is created. ``` SELECT pg_tde_set_default_principal_key('name-of-the-principal-key','provider-name','ensure_new_key'); @@ -244,7 +244,7 @@ The `ensure_new_key` parameter instructs the function how to handle a principal * If set to `true` (default), a new key must be unique. If the provider already stores a key by that name, the function returns an error. -* If set to `false`, an existing principal key will be reused. +* If set to `false`, an existing principal key may be reused. ## Encryption status check diff --git a/contrib/pg_tde/documentation/docs/multi-tenant-setup.md b/contrib/pg_tde/documentation/docs/multi-tenant-setup.md index 374f19a6fff..43c22d249d0 100644 --- a/contrib/pg_tde/documentation/docs/multi-tenant-setup.md +++ b/contrib/pg_tde/documentation/docs/multi-tenant-setup.md @@ -10,7 +10,7 @@ For how to enable WAL encryption, refer to the [WAL encryption](setup.md#wal-enc ## Enable extension -Load the `pg_tde` at the start time. The extension requires additional shared memory; therefore, add the `pg_tde` value for the `shared_preload_libraries` parameter and restart the `postgresql` instance. +Load the `pg_tde` at startup time. The extension requires additional shared memory; therefore, add the `pg_tde` value for the `shared_preload_libraries` parameter and restart the `postgresql` cluster. 1. Use the [ALTER SYSTEM :octicons-link-external-16:](https://www.postgresql.org/docs/current/sql-altersystem.html) command from `psql` terminal to modify the `shared_preload_libraries` parameter. This requires superuser privileges. @@ -18,12 +18,12 @@ Load the `pg_tde` at the start time. The extension requires additional shared me ALTER SYSTEM SET shared_preload_libraries = 'pg_tde'; ``` -2. Start or restart the `postgresql` instance to apply the changes. +2. Start or restart the `postgresql` cluster to apply the changes. * On Debian and Ubuntu: ```sh - sudo systemctl restart postgresql.service + sudo systemctl restart postgresql-17 ``` * On RHEL and derivatives @@ -38,7 +38,7 @@ Load the `pg_tde` at the start time. The extension requires additional shared me CREATE EXTENSION pg_tde; ``` - By default, the `pg_tde` extension is created for the currently used database. To enable data encryption in other databases, you must explicitly run the `CREATE EXTENSION` command against them. + The `pg_tde` extension is created for the currently used database. To enable data encryption in other databases, you must explicitly run the `CREATE EXTENSION` command against them. !!! tip @@ -61,13 +61,13 @@ You must do these steps for every database where you have created the extension. For testing purposes, you can use the PyKMIP server which enables you to set up required certificates. To use a real KMIP server, make sure to obtain the valid certificates issued by the key management appliance. ``` - SELECT pg_tde_add_key_provider_kmip('provider-name','kmip-IP', 5696, '/path_to/server_certificate.pem', '/path_to/client_key.pem'); + SELECT pg_tde_add_key_provider_kmip('provider-name','kmip-addr', 5696, '/path_to/server_certificate.pem', '/path_to/client_key.pem'); ``` where: * `provider-name` is the name of the provider. You can specify any name, it's for you to identify the provider. - * `kmip-IP` is the IP address of a domain name of the KMIP server + * `kmip-addr` is the IP address of a domain name of the KMIP server * `port` is the port to communicate with the KMIP server. Typically used port is 5696. * `server-certificate` is the path to the certificate file for the KMIP server. * `client key` is the path to the client key. diff --git a/contrib/pg_tde/documentation/docs/setup.md b/contrib/pg_tde/documentation/docs/setup.md index a20073eb869..24e70064073 100644 --- a/contrib/pg_tde/documentation/docs/setup.md +++ b/contrib/pg_tde/documentation/docs/setup.md @@ -6,7 +6,7 @@ The steps below describe the default key configuration. This means that the enti ## Enable extension -Load the `pg_tde` at the start time. The extension requires additional shared memory; therefore, add the `pg_tde` value for the `shared_preload_libraries` parameter and restart the `postgresql` instance. +Load the `pg_tde` at startup time. The extension requires additional shared memory; therefore, add the `pg_tde` value for the `shared_preload_libraries` parameter and restart the `postgresql` cluster. 1. Use the [ALTER SYSTEM :octicons-link-external-16:](https://www.postgresql.org/docs/current/sql-altersystem.html) command from `psql` terminal to modify the `shared_preload_libraries` parameter. This requires superuser privileges. @@ -14,12 +14,12 @@ Load the `pg_tde` at the start time. The extension requires additional shared me ALTER SYSTEM SET shared_preload_libraries = 'pg_tde'; ``` -2. Start or restart the `postgresql` instance to apply the changes. +2. Start or restart the `postgresql` cluster to apply the changes. * On Debian and Ubuntu: ```sh - sudo systemctl restart postgresql.service + sudo systemctl restart postgresql-17 ``` * On RHEL and derivatives @@ -34,7 +34,7 @@ Load the `pg_tde` at the start time. The extension requires additional shared me CREATE EXTENSION pg_tde; ``` - By default, the `pg_tde` extension is created for the currently used database. To enable data encryption in other databases, you must explicitly run the `CREATE EXTENSION` command against them. + The `pg_tde` extension is created for the currently used database. To enable data encryption in other databases, you must explicitly run the `CREATE EXTENSION` command against them. 4. Enable the `pg_tde` extension automatically for every newly created database. Modify the template `template1` database as follows: diff --git a/contrib/pg_tde/documentation/docs/uninstall.md b/contrib/pg_tde/documentation/docs/uninstall.md index 75bc174b95b..3d997f24c6b 100644 --- a/contrib/pg_tde/documentation/docs/uninstall.md +++ b/contrib/pg_tde/documentation/docs/uninstall.md @@ -1,6 +1,6 @@ # Uninstall `pg_tde` -If you no longer wish to use TDE in your deployment, you can remove the `pg_tde` extension. To do that, your user must have the privileges of the superuser or a database owner. +If you no longer wish to use TDE in your deployment, you can remove the `pg_tde` extension. To do that, your user must have the superuser privileges or a database owner. Here's how to do it: @@ -16,16 +16,16 @@ Here's how to do it: 3. Modify the `shared_preload_libraries` and remove the 'pg_tde' from it. Use the `ALTER SYSTEM` command for this purpose -4. Start or restart the `postgre` instance to apply the changes. +4. Start or restart the `postgresql` cluster to apply the changes. * On Debian and Ubuntu: ```sh - sudo systemctl restart postgre.service + sudo systemctl restart postgresql-17 ``` * On RHEL and derivatives ```sh - sudo systemctl restart postgre-17 + sudo systemctl restart postgresql-17 ``` diff --git a/contrib/pg_tde/documentation/docs/wal-encryption.md b/contrib/pg_tde/documentation/docs/wal-encryption.md index 2cf568f5450..1c03e6f624c 100644 --- a/contrib/pg_tde/documentation/docs/wal-encryption.md +++ b/contrib/pg_tde/documentation/docs/wal-encryption.md @@ -4,7 +4,7 @@ After you [enabled `pg_tde`](#enable-extension) and restarted the Percona Server Here's how to do it: -1. Enable WAL level encryption using the `ALTER SYSTEM SET` command. You need the privileges of the superuser to run this command: +1. Enable WAL level encryption using the `ALTER SYSTEM SET` command. You need the superuser privileges to run this command: ```sql ALTER SYSTEM set pg_tde.wal_encrypt = on; @@ -15,7 +15,7 @@ Here's how to do it: * On Debian and Ubuntu: ```sh - sudo systemctl restart postgresql.service + sudo systemctl restart postgresql-17 ``` * On RHEL and derivatives @@ -35,14 +35,13 @@ Here's how to do it: For testing purposes, you can use the PyKMIP server which enables you to set up required certificates. To use a real KMIP server, make sure to obtain the valid certificates issued by the key management appliance. ```sql - SELECT pg_tde_add_key_provider_kmip('PG_TDE_GLOBAL', 'provider-name','kmip-IP', 5696, '/path_to/server_certificate.pem', '/path_to/client_key.pem'); + SELECT pg_tde_add_global_key_provider_kmip('provider-name','kmip-addr', 5696, '/path_to/server_certificate.pem', '/path_to/client_key.pem'); ``` where: - * `PG_TDE_GLOBAL` is the constant that defines that this is the global key provider * `provider-name` is the name of the provider. You can specify any name, it's for you to identify the provider. - * `kmip-IP` is the IP address of a domain name of the KMIP server + * `kmip-addr` is the IP address of a domain name of the KMIP server * `port` is the port to communicate with the KMIP server. Typically used port is 5696. * `server-certificate` is the path to the certificate file for the KMIP server. * `client key` is the path to the client key. @@ -50,18 +49,17 @@ Here's how to do it: :material-information: Warning: This example is for testing purposes only: ``` - SELECT pg_tde_add_key_provider_kmip('PG_TDE_GLOBAL','kmip','127.0.0.1', 5696, '/tmp/server_certificate.pem', '/tmp/client_key_jane_doe.pem'); + SELECT pg_tde_add_key_global_provider_kmip('kmip','127.0.0.1', 5696, '/tmp/server_certificate.pem', '/tmp/client_key_jane_doe.pem'); ``` === "With HashiCorp Vault" ```sql - SELECT pg_tde_add_key_provider_vault_v2('PG_TDE_GLOBAL','provider-name',:'secret_token','url','mount','ca_path'); + SELECT pg_tde_add_global_key_provider_vault_v2('provider-name',:'secret_token','url','mount','ca_path'); ``` where: - * `PG_TDE_GLOBAL` is the constant that defines the WAL encryption key * `provider-name` is the name you define for the key provider * `url` is the URL of the Vault server * `mount` is the mount point where the keyring should store the keys @@ -80,7 +78,7 @@ Here's how to do it: 4. Rotate the principal key for WAL encryption. ```sql - SELECT pg_tde_set_server_principal_key('PG_TDE_GLOBAL', 'new-principal-key', 'provider-name','ensure_new_key'); + SELECT pg_tde_set_server_principal_key('new-principal-key', 'provider-name','ensure_new_key'); ``` The `ensure_new_key` parameter is set to `true` by default. It ensures that a new key must be unique. If set to `false`, an existing principal key will be reused.