literally 1 uppercase changes to files where appropriate to ensured
style throughout docs by doing that, and a small sql fix for a command
NOTE: I will change the capitalization to the titles a bit later as per
the style guide, right now I want to have a clean style across all
titles so it doesn't look too mishmashy.
@ -45,8 +45,8 @@ In the future these could be extracted into separate shared libraries with an op
`pg_tde` uses two kinds of keys for encryption:
* Internal keys to encrypt the data. They are stored in PostgreSQL's data directory under `$PGDATA/pg_tde``.
* Higher-level keys to encrypt internal keys. These keys are called "principal keys". They are stored externally, in a Key Management System (KMS) using the key provider API.
* Internal keys to encrypt the data. They are stored in PostgreSQL's data directory under `$PGDATA/pg_tde`.
* Higher-level keys to encrypt internal keys. These keys are called *principal keys*. They are stored externally, in a Key Management System (KMS) using the key provider API.
`pg_tde` uses one principal key per database. Every internal key for the given database is encrypted using this principal key.
* `port` is the port to communicate with the KMIP server. Typically used port is 5696
* `server-certificate` is the path to the certificate file for the KMIP server
* `client_cert` is the path to the client certificate.
* `client_key` (optional) is the path to the client key. If not specified, the certificate key has to contain both the certifcate and the key.
<iwarning>:material-information: Warning:</i>`pg_tde_add_global_key_provider_kmip` currently accepts only a combined client key and a client certificate for its final parameter, reffered to as `client key`.
* `client_key` is the path to the client key.
The following example is for testing purposes only.
If you encrypted a table with the `tde_heap` access method and need to remove the encryption from it, run the following command against the desired table (`mytable` in the example below):
```sql
ALTER TABLE mytable SET ACCESS METHOD heap;
ALTER TABLE mytable SET ACCESS METHOD heap;
```
Note that the `SET ACCESS METHOD` command drops hint bits and this may affect performance. Running a plain `SELECT count(*)` or `VACUUM` command on the entire table will check every tuple for visibility and set its hint bits. Therefore, after executing the `ALTER TABLE` command, run a simple `count(*)` on your tables:
```sql
SELECT count(*) FROM mytable;
SELECT count(*) FROM mytable;
```
Check that the table is not encrypted:
```sql
SELECT pg_tde_is_encrypted('mytable');
SELECT pg_tde_is_encrypted('mytable');
```
The output returns `f` meaning that the table is no longer encrypted.
@ -27,8 +27,8 @@ The output returns `f` meaning that the table is no longer encrypted.
Alternatively, you can create a new not encrypted table with the same structure and data as the initial table. For example, the original encrypted table is `EncryptedCustomers`. Use the following command to create a new table `Customers`:
```sql
CREATE TABLE Customers AS
SELECT * FROM EncryptedCustomers;
CREATE TABLE Customers AS
SELECT * FROM EncryptedCustomers;
```
The new table `Customers` inherits the structure and the data from `EncryptedCustomers`.
@ -36,5 +36,5 @@ The new table `Customers` inherits the structure and the data from `EncryptedCus
(Optional) If you no longer need the `EncryptedCustomers` table, you can delete it.
The steps below describe how to set up multi-tenancy with `pg_tde`. Multi-tenancy allows you to encrypt different databases with different keys. This provides granular control over data and enables you to introduce different security policies and access controls for each database so that only authorized users of specific databases have access to the data.
If you don't need multi-tenancy, use the global key provider. See the configuration steps from the [Setup](../setup.md) section.
If you don't need multi-tenancy, use the global key provider. See the configuration steps from the [Configure pg_tde](../setup.md) section.
For how to enable WAL encryption, refer to the [WAL encryption](../wal-encryption.md) section.
For how to enable WAL encryption, refer to the [Configure WAL Encryption](../wal-encryption.md) section.
--8<--"kms-considerations.md"
@ -132,6 +132,7 @@ You must do these steps for every database where you have created the extension.
<iinfo>:material-information: Info:</i> The key provider configuration is stored in the database catalog in an unencrypted table. See [how to use external reference to parameters](external-parameters.md) to add an extra security layer to your setup.
This is the {{release}} version of the extension and it is not meant for production use yet. We encourage you to use it in testing environments and [provide your feedback](https://forums.percona.com/c/postgresql/pg-tde-transparent-data-encryption-tde/82).
[What is Transparent Data Encryption (TDE)?](index/index.md){.md-button}
[Get started](install.md){.md-button}
[Overview](index/index.md){.md-button}
[Get Started](install.md){.md-button}
[What's new in pg_tde {{release}}](release-notes/release-notes.md){.md-button}
* `pg_rewind` doesn't work with encrypted WAL for now. We plan to fix it in future releases.
* `pg_tde` Release candidate is incompatible with `pg_tde`Beta2 due to significant changes in code. There is no direct upgrade flow from one version to another. You must [uninstall](../how-to/uninstall.md) `pg_tde` Beta2 first and then [install](../install.md) and configure the new Release Candidate version.
[Versions and supported PostgreSQL deployments](supported-versions.md){.md-button}
[Versions and Supported PostgreSQL Deployments](supported-versions.md){.md-button}
Before you can use `pg_tde` for data encryption, you must enable the extension and configure PostgreSQL to load it at startup. This setup ensures that the necessary hooks and shared memory are available for encryption operations.
!!! note
To learn how to configure multi-tenancy, refer to the [Configure multi-tenancy](how-to/multi-tenant-setup.md) guidelines.
To learn how to configure multi-tenancy, refer to the [Configure multi-tenancy](how-to/multi-tenant-setup.md) guidelines.
The `pg_tde` extension requires additional shared memory. You need to configure PostgreSQL to prelaod it at startup.
The `pg_tde` extension requires additional shared memory. You need to configure PostgreSQL to preload it at startup.
## 1. Configure shared_preload_libraries
@ -45,7 +44,7 @@ Restart the `postgresql` cluster to apply the configuration.
After restarting PostgreSQL, connect to `psql` as a **superuser** or **database owner** and run:
```sql
CREATE EXTENSION pg_tde;
CREATE EXTENSION pg_tde;
```
See [CREATE EXTENSION :octicons-link-external-16:](https://www.postgresql.org/docs/current/sql-createextension.html) for more details.
@ -59,7 +58,7 @@ See [CREATE EXTENSION :octicons-link-external-16:](https://www.postgresql.org/do
To automatically have `pg_tde` enabled for all new databases, modify the `template1` database:
@ -7,26 +7,26 @@ After enabling the `pg_tde` extension for a database, you can begin encrypting d
1. Create a table in the database for which you have [enabled `pg_tde`](setup.md) using the `tde_heap` access method as follows:
```sql
CREATE TABLE <table_name> (<field><datatype>) USING tde_heap;
CREATE TABLE <table_name> (<field><datatype>) USING tde_heap;
```
<iwarning>:material-information: Warning:</i> Example for testing purposes only:
```sql
CREATE TABLE albums (
album_id INTEGER GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
artist_id INTEGER,
title TEXT NOT NULL,
released DATE NOT NULL
) USING tde_heap;
CREATE TABLE albums (
album_id INTEGER GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
artist_id INTEGER,
title TEXT NOT NULL,
released DATE NOT NULL
) USING tde_heap;
```
Learn more about table access methods and how you can enable data encryption by default in the [Table access methods](index/table-access-method.md) section.
Learn more about table access methods and how you can enable data encryption by default in the [Table Access Methods and TDE](index/table-access-method.md) section.
2. To check if the data is encrypted, run the following function:
```sql
SELECT pg_tde_is_encrypted('table_name');
SELECT pg_tde_is_encrypted('table_name');
```
The function returns `t` if the table is encrypted and `f` - if not.
@ -42,23 +42,21 @@ You can encrypt an existing table. It requires rewriting the table, so for large
Run the following command:
```sql
ALTER TABLE table_name SET ACCESS METHOD tde_heap;
ALTER TABLE table_name SET ACCESS METHOD tde_heap;
```
!!! important
Using `SET ACCESS METHOD` drops hint bits which can impact query performance. To restore performance, run:
```sql
SELECT count(*) FROM table_name;
SELECT count(*) FROM table_name;
```
This forces PostgreSQL to check every tuple for visibility and reset the hint bits.
!!! hint
Want to remove encryption later? See how to [decrypt your data](how-to/decrypt.md).
Dragos Andriciuc
4 months ago
committed by