open-dsi
/
postgres
mirror of https://github.com/postgres/postgres
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
235 Commits
38 Branches
662 Tags
732 MiB
 
 
 
 
 
 
Tag: Branch: Tree: bf936b0a10
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'bf936b0a10'
${ noResults }
postgres/documentation/docs/setup.md

79 lines
2.8 KiB
Raw Blame History

# Set up `pg_tde`
Load the `pg_tde` at the start time. The extension requires additional shared memory; therefore, add the `pg_tde` value for the `shared_preload_libraries` parameter and restart the `postgresql` instance.
1. Use the [ALTER SYSTEM](https://www.postgresql.org/docs/current/sql-altersystem.html) command from `psql` terminal to modify the `shared_preload_libraries` parameter.
```sql
ALTER SYSTEM SET shared_preload_libraries = 'pg_tde';
```
2. Start or restart the `postgresql` instance to apply the changes.
* On Debian and Ubuntu:
```sh
sudo systemctl restart postgresql.service
```
* On RHEL and derivatives
```sh
sudo systemctl restart postgresql-16
```
3. Create the extension using the [CREATE EXTENSION](https://www.postgresql.org/docs/current/sql-createextension.html) command. You must have the privileges of a superuser or a database owner to use this command. Connect to `psql` as a superuser for a database and run the following command:
```sql
CREATE EXTENSION pg_tde;
```
By default, the `pg_tde` extension is created for the currently used database. To enable data encryption in other databases, you must explicitly run the `CREATE EXTENSION` command against them.
!!! tip
You can have the `pg_tde` extension automatically enabled for every newly created database. Modify the template `template1` database as follows:
```
psql -d template1 -c 'CREATE EXTENSION pg_tde;'
```
4. Set up a key provider for the database where you have enabled the extension
=== "With HaschiCorp Vault"
```sql
SELECT pg_tde_add_key_provider_vault_v2('provider-name',:'secret_token','url','mount','ca_path');
```
where:
* `url` is the URL of the Vault server
* `mount` is the mount point where the keyring should store the keys
* `secret_token` is an access token with read and write access to the above mount point
* [optional] `ca_path` is the path of the CA file used for SSL verification
=== "With keyring file"
This setup is intended for development and stores the keys unencrypted in the specified data file.
```sql
SELECT pg_tde_add_key_provider_file('provider-name','/path/to/the/keyring/data.file');
```
5. Add a principal key
```sql
SELECT pg_tde_set_principal_key('name-of-the-principal-key', 'provider-name');
```
<i info>:material-information: Info:</i> The key provider configuration is stored in the database catalog in an unencrypted table. See [how to use external reference to parameters](external-parameters.md) to add an extra security layer to your setup.
## Next steps
[Test TDE](test.md){.md-button}