With ifdefs all over the place it was hard to expose the write functions
to frontend tools so we reduce the number of ifdefs by having one clear
set of data structures fror backend and one for frontend.
Additionally we give access to WAL key generation and setting the start_lsn
of a key to the frontend code.
Since some frontend tools will need to write WAL while others will not
it makes sense to split the initalization so only some frontend tools
and the backend needs to initialize the WAL write related stuff.
It is a bit unclear what this optimization was supposed to do,
presumably it was to break from the loop once the whole buffer was
decrypted, but the logic was very confused since if we want to do a
similar optimization it should be something like
if (dec_off + read_sz == offset + readsz).
This function counts the number of encryption keys in the key file
associated with the given OID. Name it accordingly.
Also remove comment about only user which is no longer true.
These tests are a carbon copy of upstream's pg_rewind tests. Changes
for WAL encryption will be added in the following commit.
`standby_source` test is not copied as it fails because of changes
needed in pg_basebackup.
The path had an additional "../" section, which means it referenced
outside the action working directory. For some reason (possibly earlier
scripts during development?) we had an existing postgres installation
there, but it was old and never updated. As it still had bugs in the
partition handling code, it always reported an error.
The pg_tde_change_key_provider tool should act more like PostgreSQL's
own CLI tools, which includes changing the usage slightly (but not
entirely) to match, making the error messages more similar to
PostgreSQL's and making the code a bit more PG-like.
This commit makes a suppression list as specific as possible, so it won't
cover up new issues. And adds comments to existing suppressions. Also,
fixes memory leaks in bin/pgctl code (all related to frontend usage) and
low-hanging fruits in pgctl.
Added initial files and modifications to include 1.0 release notes to
the TOC and variables. Updates:
* updated the ToC names to make them in line with style guide
* updated variable with new release branch and fixed small release note
name
* updated ## Release Highlights with topics:
* Added tickets
* Updated Upgrade considerations
Updated the Architecture topic with the following:
- New intro detailing the long term tde goals in a paragraph
- Updated the ## Typical setup scenarios topic with better writing and
improved flow
- Added note to WAL Encryption that it is not to be used in prod env
- General small fixes to paragraphs, wrongly written words and such
Updated the introduction with the proper extension name, updated the
intro to reflect this. Removed important note about not meant for
production and added the No upgrade warning from previous versions (like
RC2) to GA. Updates:
* removed the block announcement for RC2 at the top of the HTML page in
the intro
* Added the warning note before installation begins too.
* Updated site name to full name.
In set-principal-key.md:
* updated with correct code example using set_server_key_using_global
parameter
* updated note to reflect correct config
In features.md:
* Removed temporary tables feature to clear confusion, removed logical
replication mention, removed WAL encryption as a feature.
In functions.md:
* Added ON FUNCTION for grant/revoke execution
* Modified sensitive info bolded paragraph to important note
* Small modifications to notes display, title cases and text fixes
* added note to Add or modify Vault providers for keeping the same
principal key.
* Added warning for WAL in pg_tde_create_key_using_global_key_provider
In general:
* Removed all logical replication mentions except the FAQ and in RC2
release note.
- updated FAQ with WAL encryption notes about it's beta status
- updated links to How does pg_tde make my data safe? FAQ for KMS chapters
we added
- updated pg_waldump with a note about wal encryption beta status
- Removed post quantum question from FAQ
* uninstall.md added warning note and added a new step to
ensure user knows he needs to decrypt or drop encrypted tables
* rewrote table access ALTER SYSTEM command
* for limitations.md, removed rewind mention and added WAL note as
text, made small changes to RC version. Added note for KMS, improved
system tables text.
Multi-tenant-setup.md:
* updated SELECT parameters
* Added that KMIP server setup is out of scope.
* Added a link to KMS configuration chapter in the intro to Key provider
config
setup.md:
Modified file to be postgresql.conf file
Modified last note to be clearer.
test.md:
UPdated function return for step 2 checking encrypted data
variables.md:
Added warning note for Enabling WAL encryption.
yum.md:
Updated Memory Lock description.
Added a new topic:
- How can I store an old key securely? Use Vault as an example here.
- ~~Explain how you can use this “old” principal key to unencrypt your
backups.~~
Removed files like FAQ and others that do not belong to this PR.
The function this message referenced does not exist, and even if it did
it wouldn't create keys.
Also error hint messages are supposed to be full sentences with capital
letter and period.
Having this enum named as a plural made little sense as any value of
this type is just a single code and not multiple.
The postgres code does not have pluralized enum names, so we shouldn't
either.
Created new replication topic which outlines how to set up PostgreSQL streaming replication when the `pg_tde` extension, specifically the `tde_heap` access method, is enabled on the primary server.
Ubuntu 24.04 image has Python 3.12 by default. PyKMIP server and
CodeCheker tool don't support this version, so we have to downgrade
Python version to 3.11.
Andreas Karlsson