After you configure Hashicorp Vault transit secrets engine, you can then encrypt your EDB Postgres distribution database.

Note

This content is intended for versions 15.2 and later of EDB Postgres Advanced Server or versions 15.2 and later of EDB Postgres Extended Server, as these versions support transparent data encryption (TDE).

After you configure the Hashicorp Vault transit secrets engine and a user/machine has a Vault token with the proper permissions (configured during your install and setup of transit secrets engine), it can use this secrets engine to encrypt a key.

Perform initdb for the database

After you enable Hashicorp Vault transit secrets engine and create a key, you can export the PGDATAKEYWRAPCMD and PGDATAKEYUNWRAPCMD to wrap and unwrap your encryption key and initialize your database.

  1. Log in to your EDB Postgres distribution as the database superuser, for example, sudo su - enterprisedb.

  2. Navigate to the /bin directory where your executables are. In this example, it's /usr/lib/edb-as/15/bin.

  3. Enter export PGDATAKEYWRAPCMD='base64 | vault write -field=ciphertext transit/encrypt/pg-tde-master-1 plaintext=- > %p'

  4. Enter export PGDATAKEYUNWRAPCMD='cat %p | vault write -field=plaintext transit/decrypt/pg-tde-master-1 ciphertext=- | base64 --decode'

root@ip-172-31-50-151:/usr/lib/edb-pge/15/bin# su - enterprisedb

enterprisedb@ip-172-31-50-151:~$ export PGDATAKEYWRAPCMD='base64 | vault write -field=ciphertext transit/encrypt/pg-tde-master-1 plaintext=- > %p'

enterprisedb@ip-172-31-50-151:~$ export PGDATAKEYUNWRAPCMD='cat %p | vault write -field=plaintext transit/decrypt/pg-tde-master-1 ciphertext=- | base64 --decode'
  1. Perform your initdb per your database requirements, for example: ./initdb -D dd12 -y.

    If all is successful, the output looks like this:

    enterprisedb@ip-172-31-46-134:/usr/lib/edb-as/15/bin$ ./initdb -D /var/lib/edb-as/15/dd12 -y
The files belonging to this database system will be owned by user "enterprisedb".
This user must also own the server process.
The database cluster will be initialized with locale "C.UTF-8".
The default database encoding has accordingly been set to "UTF8".
The default text search configuration will be set to "english".
Data page checksums are disabled.
Transparent data encryption is enabled.
creating directory /var/lib/edb-as/15/dd12 ... ok
creating subdirectories ... ok
selecting dynamic shared memory implementation ... posix
selecting default max_connections ... 100
selecting default shared_buffers ... 128MB
selecting default time zone ... America/New_York
creating configuration files ... ok
setting up data encryption ... ok
running bootstrap script ... usage: edb_tde_kmip_client.py [-h] [--pykmip-config-file FILENAME]
                              [--pykmip-config-block NAME]
                              [--in-file FILENAME] [--out-file FILENAME]
                              --key-uid KEY_UID --variant {pykmip,thales}
                              {decrypt,encrypt}
edb_tde_kmip_client.py: error: argument --variant: invalid choice: 'pymip' (choose from 'pykmip', 'thales')
2023-04-12 09:35:27 EDT FATAL:  unwrapped key is too small
child process exited with exit code 1
initdb: removing data directory "/var/lib/edb-as/15/dd12"
enterprisedb@ip-172-31-46-134:/usr/lib/edb-as/15/bin$ export PGDATAKEYWRAPCMD='python3 /tmp/edb_tde_kmip_client.py encrypt --pykmip-config-file=/tmp/pykmip.conf --key-uid=nfTCV2Cp5sffhQuRrOVfgCUyu8qh9kwd --out-file=%p --variant=pykmip'
enterprisedb@ip-172-31-46-134:/usr/lib/edb-as/15/bin$ export PGDATAKEYUNWRAPCMD='python3 /tmp/edb_tde_kmip_client.py decrypt --pykmip-config-file=/tmp/pykmip.conf --key-uid=nfTCV2Cp5sffhQuRrOVfgCUyu8qh9kwd --in-file=%p --variant=pykmip'
enterprisedb@ip-172-31-46-134:/usr/lib/edb-as/15/bin$ 
enterprisedb@ip-172-31-46-134:/usr/lib/edb-as/15/bin$ 
enterprisedb@ip-172-31-46-134:/usr/lib/edb-as/15/bin$ 
enterprisedb@ip-172-31-46-134:/usr/lib/edb-as/15/bin$ 
enterprisedb@ip-172-31-46-134:/usr/lib/edb-as/15/bin$ ./initdb -D /var/lib/edb-as/15/dd12 -y
The files belonging to this database system will be owned by user "enterprisedb".
This user must also own the server process.
The database cluster will be initialized with locale "C.UTF-8".
The default database encoding has accordingly been set to "UTF8".
The default text search configuration will be set to "english".
Data page checksums are disabled.
Transparent data encryption is enabled.
creating directory /var/lib/edb-as/15/dd12 ... ok
creating subdirectories ... ok
selecting dynamic shared memory implementation ... posix
selecting default max_connections ... 100
selecting default shared_buffers ... 128MB
selecting default time zone ... America/New_York
creating configuration files ... ok
setting up data encryption ... ok
running bootstrap script ... ok
performing post-bootstrap initialization ... ok
creating edb sys ... ok
loading edb contrib modules ...
edb_redwood_bytea.sql 
edb_redwood_date.sql 
dbms_alert_public.sql 
dbms_alert.plb 
dbms_job_public.sql 
dbms_job.plb 
dbms_lob_public.sql 
dbms_lob.plb 
dbms_output_public.sql 
dbms_output.plb 
dbms_pipe_public.sql 
dbms_pipe.plb 
dbms_rls_public.sql 
dbms_rls.plb 
dbms_sql_public.sql 
dbms_sql.plb 
dbms_utility_public.sql 
dbms_utility.plb 
dbms_aqadm_public.sql 
dbms_aqadm.plb 
dbms_aq_public.sql 
dbms_aq.plb 
dbms_profiler_public.sql 
dbms_profiler.plb 
dbms_random_public.sql 
dbms_random.plb 
dbms_redact_public.sql 
dbms_redact.plb 
dbms_lock_public.sql 
dbms_lock.plb 
dbms_scheduler_public.sql 
dbms_scheduler.plb 
dbms_crypto_public.sql 
dbms_crypto.plb 
dbms_mview_public.sql 
dbms_mview.plb 
dbms_session_public.sql 
dbms_session.plb 
edb_bulkload.sql 
edb_gen.sql 
edb_objects.sql 
edb_redwood_casts.sql 
edb_redwood_strings.sql 
edb_redwood_views.sql 
utl_encode_public.sql 
utl_encode.plb 
utl_http_public.sql 
utl_http.plb 
utl_file.plb 
edb_ht_public.sql 
edb_ht.plb 
utl_tcp_public.sql 
utl_tcp.plb 
utl_smtp_public.sql 
utl_smtp.plb 
utl_mail_public.sql 
utl_mail.plb 
utl_url_public.sql 
utl_url.plb 
utl_raw_public.sql 
utl_raw.plb 
commoncriteria.sql 
edb_gen_redwood.sql 
waitstates.sql 
installing extension edb_dblink_libpq ... ok
installing extension edb_dblink_oci ... ok
snap_tables.sql 
snap_functions.sql 
dblink_ora.sql 
sys_stats.sql 
ok
finalizing initial databases ... ok
syncing data to disk ... ok
initdb: warning: enabling "trust" authentication for local connections
initdb: hint: You can change this by editing pg_hba.conf or using the option -A, or --auth-local and --auth-host, the next time you run initdb.
Success. You can now start the database server using:
    pg_ctl -D /var/lib/edb-as/15/dd12 -l logfile start
  1. Start your database and navigate to your /data directory to view the postgresql.conf file. Make sure that the data_encryption_key_unwrap_command that you set with your export PGDATAUNWRAPCMD is present under the Authentication section.
# - Authentication -

#authentication_timeout = 1min		# 1s-600s
#password_encryption = scram-sha-256	# scram-sha-256 or md5
#db_user_namespace = off

# GSSAPI using Kerberos
#krb_server_keyfile = 'FILE:${sysconfdir}/krb5.keytab'
#krb_caseins_users = off

# - SSL -

#ssl = off
#ssl_ca_file = ''
#ssl_cert_file = 'server.crt'
#ssl_crl_file = ''
#ssl_crl_dir = ''
#ssl_key_file = 'server.key'
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
#ssl_prefer_server_ciphers = on
#ssl_ecdh_curve = 'prime256v1'
#ssl_min_protocol_version = 'TLSv1.2'
#ssl_max_protocol_version = ''
#ssl_dh_params_file = ''
#ssl_passphrase_command = ''
#ssl_passphrase_command_supports_reload = off

# - Data Encryption -

data_encryption_key_unwrap_command = 'cat %p | vault write -field=plaintext transit/decrypt/pg-tde-master-1 ciphertext=- | base64 --decode'

Encrypt Plaintext Data

Hashicorp Vault transit secrets engine can also encrypt some plaintext data. However, any plaintext data needs to be base64-encoded. This is a requirement, as Hashicorp Vault doesn't require that the plaintext data is "text." It can also be another type of file.

enterprisedb@ip-172-31-50-151:~$ export VAULT_TOKEN="hvs.D9lfoRBZYtdJY2t3lG3f6yUa"
enterprisedb@ip-172-31-50-151:~$ vault write transit/encrypt/pg-tde-master-1 plaintext=$(echo "my secret data" | base64)
Key            Value
---            -----
ciphertext     vault:v1:/laUa+i1RVs4kFDD+a6Dmm+mJvVuo8jW0JHWISlzEe/ur/nUlfswEyYShA==
key_version    1
Note

Hashicorp Vault doesn't store any data. Storing data is up to the database user. For more information on Hashicorp Vault transit secrets engine, see the Hashicorp documentation.

For more information on how TDE is incorporated with EDB Postgres Advanced Server and EDB Postgres Extended Server see the EDB Transparent Data Encryption documentation.


Could this page be better? Report a problem or suggest an addition!