Using
After you configure Hashicorp Vault transit secrets engine, you can then encrypt your EDB Postgres distribution database.
Note
This content is intended for versions 15.2 and later of EDB Postgres Advanced Server or versions 15.2 and later of EDB Postgres Extended Server, as these versions support transparent data encryption (TDE).
After you configure the Hashicorp Vault transit secrets engine and a user/machine has a Vault token with the proper permissions (configured during your install and setup of transit secrets engine), it can use this secrets engine to encrypt a key.
Perform initdb for the database
After you enable Hashicorp Vault transit secrets engine and create a key, you can export the PGDATAKEYWRAPCMD and PGDATAKEYUNWRAPCMD to wrap and unwrap your encryption key and initialize your database.
Log in to your EDB Postgres distribution as the database superuser, for example,
sudo su - enterprisedb
.Navigate to the
/bin
directory where your executables are. In this example, it's/usr/lib/edb-as/15/bin
.Enter
export PGDATAKEYWRAPCMD='base64 | vault write -field=ciphertext transit/encrypt/pg-tde-master-1 plaintext=- > %p'
Enter
export PGDATAKEYUNWRAPCMD='cat %p | vault write -field=plaintext transit/decrypt/pg-tde-master-1 ciphertext=- | base64 --decode'
Perform your initdb per your database requirements, for example:
./initdb -D dd12 -y
.If all is successful, the output looks like this:
- Start your database and navigate to your
/data
directory to view thepostgresql.conf
file. Make sure that thedata_encryption_key_unwrap_command
that you set with yourexport PGDATAUNWRAPCMD
is present under the Authentication section.
Encrypt Plaintext Data
Hashicorp Vault transit secrets engine can also encrypt some plaintext data. However, any plaintext data needs to be base64-encoded. This is a requirement, as Hashicorp Vault doesn't require that the plaintext data is "text." It can also be another type of file.
Note
Hashicorp Vault doesn't store any data. Storing data is up to the database user. For more information on Hashicorp Vault transit secrets engine, see the Hashicorp documentation.
For more information on how TDE is incorporated with EDB Postgres Advanced Server and EDB Postgres Extended Server see the EDB Transparent Data Encryption documentation.
Could this page be better? Report a problem or suggest an addition!