Using

Suggest edits

After you have configured Hashicorp Vault Transit Secrets Engine as stated in the Configuring section, you will be able to then encrypt your EDB Postgres distribution database.

Note

It is important to note that this doc is intended for versions 15.2 and above of EDB Postgres Advanced Server or versions 15.2 and above of EDB Postgres Extended Server as these versions support Transparent Data Encryption (TDE).

After the Hashicorp Vault Transit secrets engine is configured and a user/machine has a Vault token with the proper permissions, this was configured during your install and setup of Transit Secrets Engine, it can use this secrets engine to encrypt a key.

Perform initdb for the Database

After you have enabled Hashicorp Vault Transit Secrets Engine and created a key, you will be able to export the PGDATAKEYWRAPCMD and PGDATAKEYUNWRAPCMD to wrap and unwrap your encryption key and initialize your database.

  1. Login to your EDB Postgres distribution as the database superuser, for example sudo su - enterprisedb.

  2. Navigate to the /bin directory where your executables live. In our example it is /usr/lib/edb-as/15/bin.

  3. Type: export PGDATAKEYWRAPCMD='base64 | vault write -field=ciphertext transit/encrypt/pg-tde-master-1 plaintext=- > %p'

  4. Type: export PGDATAKEYUNWRAPCMD='cat %p | vault write -field=plaintext transit/decrypt/pg-tde-master-1 ciphertext=- | base64 --decode'

root@ip-172-31-50-151:/usr/lib/edb-pge/15/bin# su - enterprisedb

enterprisedb@ip-172-31-50-151:~$ export PGDATAKEYWRAPCMD='base64 | vault write -field=ciphertext transit/encrypt/pg-tde-master-1 plaintext=- > %p'

enterprisedb@ip-172-31-50-151:~$ export PGDATAKEYUNWRAPCMD='cat %p | vault write -field=plaintext transit/decrypt/pg-tde-master-1 ciphertext=- | base64 --decode'

  1. Perform your initdb per your database requirements, for example: ./initdb -D dd12 -y.

  2. If all is successful you should get an output that looks like this:

    enterprisedb@ip-172-31-46-134:/usr/lib/edb-as/15/bin$ ./initdb -D /var/lib/edb-as/15/dd12 -y
The files belonging to this database system will be owned by user "enterprisedb".
This user must also own the server process.
The database cluster will be initialized with locale "C.UTF-8".
The default database encoding has accordingly been set to "UTF8".
The default text search configuration will be set to "english".
Data page checksums are disabled.
Transparent data encryption is enabled.
creating directory /var/lib/edb-as/15/dd12 ... ok
creating subdirectories ... ok
selecting dynamic shared memory implementation ... posix
selecting default max_connections ... 100
selecting default shared_buffers ... 128MB
selecting default time zone ... America/New_York
creating configuration files ... ok
setting up data encryption ... ok
running bootstrap script ... usage: edb_tde_kmip_client.py [-h] [--pykmip-config-file FILENAME]
                              [--pykmip-config-block NAME]
                              [--in-file FILENAME] [--out-file FILENAME]
                              --key-uid KEY_UID --variant {pykmip,thales}
                              {decrypt,encrypt}
edb_tde_kmip_client.py: error: argument --variant: invalid choice: 'pymip' (choose from 'pykmip', 'thales')
2023-04-12 09:35:27 EDT FATAL:  unwrapped key is too small
child process exited with exit code 1
initdb: removing data directory "/var/lib/edb-as/15/dd12"
enterprisedb@ip-172-31-46-134:/usr/lib/edb-as/15/bin$ export PGDATAKEYWRAPCMD='python3 /tmp/edb_tde_kmip_client.py encrypt --pykmip-config-file=/tmp/pykmip.conf --key-uid=nfTCV2Cp5sffhQuRrOVfgCUyu8qh9kwd --out-file=%p --variant=pykmip'
enterprisedb@ip-172-31-46-134:/usr/lib/edb-as/15/bin$ export PGDATAKEYUNWRAPCMD='python3 /tmp/edb_tde_kmip_client.py decrypt --pykmip-config-file=/tmp/pykmip.conf --key-uid=nfTCV2Cp5sffhQuRrOVfgCUyu8qh9kwd --in-file=%p --variant=pykmip'
enterprisedb@ip-172-31-46-134:/usr/lib/edb-as/15/bin$ 
enterprisedb@ip-172-31-46-134:/usr/lib/edb-as/15/bin$ 
enterprisedb@ip-172-31-46-134:/usr/lib/edb-as/15/bin$ 
enterprisedb@ip-172-31-46-134:/usr/lib/edb-as/15/bin$ 
enterprisedb@ip-172-31-46-134:/usr/lib/edb-as/15/bin$ ./initdb -D /var/lib/edb-as/15/dd12 -y
The files belonging to this database system will be owned by user "enterprisedb".
This user must also own the server process.
The database cluster will be initialized with locale "C.UTF-8".
The default database encoding has accordingly been set to "UTF8".
The default text search configuration will be set to "english".
Data page checksums are disabled.
Transparent data encryption is enabled.
creating directory /var/lib/edb-as/15/dd12 ... ok
creating subdirectories ... ok
selecting dynamic shared memory implementation ... posix
selecting default max_connections ... 100
selecting default shared_buffers ... 128MB
selecting default time zone ... America/New_York
creating configuration files ... ok
setting up data encryption ... ok
running bootstrap script ... ok
performing post-bootstrap initialization ... ok
creating edb sys ... ok
loading edb contrib modules ...
edb_redwood_bytea.sql 
edb_redwood_date.sql 
dbms_alert_public.sql 
dbms_alert.plb 
dbms_job_public.sql 
dbms_job.plb 
dbms_lob_public.sql 
dbms_lob.plb 
dbms_output_public.sql 
dbms_output.plb 
dbms_pipe_public.sql 
dbms_pipe.plb 
dbms_rls_public.sql 
dbms_rls.plb 
dbms_sql_public.sql 
dbms_sql.plb 
dbms_utility_public.sql 
dbms_utility.plb 
dbms_aqadm_public.sql 
dbms_aqadm.plb 
dbms_aq_public.sql 
dbms_aq.plb 
dbms_profiler_public.sql 
dbms_profiler.plb 
dbms_random_public.sql 
dbms_random.plb 
dbms_redact_public.sql 
dbms_redact.plb 
dbms_lock_public.sql 
dbms_lock.plb 
dbms_scheduler_public.sql 
dbms_scheduler.plb 
dbms_crypto_public.sql 
dbms_crypto.plb 
dbms_mview_public.sql 
dbms_mview.plb 
dbms_session_public.sql 
dbms_session.plb 
edb_bulkload.sql 
edb_gen.sql 
edb_objects.sql 
edb_redwood_casts.sql 
edb_redwood_strings.sql 
edb_redwood_views.sql 
utl_encode_public.sql 
utl_encode.plb 
utl_http_public.sql 
utl_http.plb 
utl_file.plb 
edb_ht_public.sql 
edb_ht.plb 
utl_tcp_public.sql 
utl_tcp.plb 
utl_smtp_public.sql 
utl_smtp.plb 
utl_mail_public.sql 
utl_mail.plb 
utl_url_public.sql 
utl_url.plb 
utl_raw_public.sql 
utl_raw.plb 
commoncriteria.sql 
edb_gen_redwood.sql 
waitstates.sql 
installing extension edb_dblink_libpq ... ok
installing extension edb_dblink_oci ... ok
snap_tables.sql 
snap_functions.sql 
dblink_ora.sql 
sys_stats.sql 
ok
finalizing initial databases ... ok
syncing data to disk ... ok
initdb: warning: enabling "trust" authentication for local connections
initdb: hint: You can change this by editing pg_hba.conf or using the option -A, or --auth-local and --auth-host, the next time you run initdb.
Success. You can now start the database server using:
    pg_ctl -D /var/lib/edb-as/15/dd12 -l logfile start
  1. Start your database and navigate to your /data directory to view the postgresql.conf file to ensure that your data_encryption_key_unwrap_command that you set with your export PGDATAUNWRAPCMD is present under the Authentication section.
# - Authentication -

#authentication_timeout = 1min		# 1s-600s
#password_encryption = scram-sha-256	# scram-sha-256 or md5
#db_user_namespace = off

# GSSAPI using Kerberos
#krb_server_keyfile = 'FILE:${sysconfdir}/krb5.keytab'
#krb_caseins_users = off

# - SSL -

#ssl = off
#ssl_ca_file = ''
#ssl_cert_file = 'server.crt'
#ssl_crl_file = ''
#ssl_crl_dir = ''
#ssl_key_file = 'server.key'
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
#ssl_prefer_server_ciphers = on
#ssl_ecdh_curve = 'prime256v1'
#ssl_min_protocol_version = 'TLSv1.2'
#ssl_max_protocol_version = ''
#ssl_dh_params_file = ''
#ssl_passphrase_command = ''
#ssl_passphrase_command_supports_reload = off

# - Data Encryption -

data_encryption_key_unwrap_command = 'cat %p | vault write -field=plaintext transit/decrypt/pg-tde-master-1 ciphertext=- | base64 --decode'

Encrypt Plaintext Data

Hashicorp Vault Transit Secrets Engine can also encrypt some plaintext data. However any plaintext data needs to be base64-encoded. This is a requirement as Hashicorp Vault does not require that the plaintext data is "text", it could also be another type of file.

enterprisedb@ip-172-31-50-151:~$ export VAULT_TOKEN="hvs.D9lfoRBZYtdJY2t3lG3f6yUa"
enterprisedb@ip-172-31-50-151:~$ vault write transit/encrypt/pg-tde-master-1 plaintext=$(echo "my secret data" | base64)
Key            Value
---            -----
ciphertext     vault:v1:/laUa+i1RVs4kFDD+a6Dmm+mJvVuo8jW0JHWISlzEe/ur/nUlfswEyYShA==
key_version    1

As an added note, Hashicorp Vault does not store any data, that is up to the database user. For any more information on Hashicorp Vault Transit Secrets Engine visit the Hashicorp documentation.

For more information on how TDE is incorporated with EDB Postgres Advanced Server and EDB Postgres Extended Server visit the EDB Transparent Data Encryption documentation.

Could this page be better? Report a problem or suggest an addition!