After you configure all of the Thales certificates, you can use them with your EDB Postgres distribution.
Note
This content is intended for versions 15.2 and later of EDB Postgres Advanced Server and versions 15.2 and later of EDB Postgres Extended Server, as these versions support Transparent Data Encryption (TDE).
To implement Thales CipherTrust Manger with your EDB Postgres distribution, you must ensure that you have the following downloaded to your system:
edb-tde-kmip-client downloaded from your EDB Repos access
You need to copy all of the .pem files that you created in Configuring Thales CipherTrust Manager—key.pem, cert.pem, and ca.pem—to the system where your EDB Postgres distribution is installed. In this example, all of the .pem files and the edb_tde_kmip_client.py program are in the /tmp/ directory.
Check prerequisites and download edb-tde-kmip-client
To install the edb-tde-kmip-client on your system, assume root user and issue the install command. This example installs it on a RHEL8 server, so the command is:
The output looks like this:
Create pykmip.conf file
On your system where you have your EDB Postgres distribution, navigate to the directory where you saved your .pem files and the edb_tde_kmip_client.py client.
In that directory, create a file called pykmip.conf, and enter the following:
Host
Port
Username
Password
Keyfile
Certfile
Ca_certs
For example:
Note
For more information on the pykmip.conf file and its contents, see the PyKMIP documentation.
Create a key on Thales CipherTrust Manager
You can create a key with Thales CipherTrust Manager in two ways. You can create one locally with python3 or you can use the Thales CipherTrust Manager UI.
Create a key locally with python3 on Thales CipherTrust Manager
To create the key on Thales CipherTrust Manager, on the system with your EDB Postgres distribution, log in as the database superuser.
Enter python3, and then enter the following, making adjustments per your system setup and directory paths:
Navigate back to Thales CipherTrust Manager. On the navigation bar, select Keys.
Check that your key, in this case edbtestkey, was created.
Create a key in Thales CipherTrust Manager UI
You can also create keys to use in your database WRAP and UNWRAP commands for encryption in the Thales CipherTrust Manager UI.
Log in to Thales CipherTrust Manager.
On the main page, from the left bar, select Keys.
To create a key, select Add Key.
Give the key an identifiable name, and select the Key Properties and Key Usage boxes per your requirements.
Select Add Key, which brings you to that key's page with specific information.
The specific key ID that's needed for your PGDATAKEYWRAPCMD and PGDATAKEYUNWRAPCMD commands is the ID that's shown at the top of your key information page.
Verify encryption and decryption
To ensure that the key that you created can encrypt and decrypt data, run the following two commands as the superuser on your system where you have your EDB Postgres distribution.
If this is successful, it produces the output of secret:
Perform initdb for the database
After you create the key and verify encryption and decryption, you can export the PGDATAKEYWRAPCMD and PGDATAKEYUNWRAPCMD to wrap and unwrap your encryption key and initialize your database.
Log in to your EDB Postgres distribution system as the database superuser, in this example the enterprisedb user: sudo su - enterprisedb.
Navigate to the /bin directory where your executables live. In this example, it's /usr/lib/edb-as/15/bin.
Enter:
Enter:
In this example:
Perform your initdb per your database requirements, for example: ./initdb -D dd12 -y.
If all is successful, your output looks like this:
Start your database, and navigate to your /data directory to view the postgresql.conf file. Make sure that your data_encryption_key_unwrap_command, which you set with export PGDATAUNWRAPCMD, is present under the Authentication section.
For more information on how TDE is incorporated with EDB Postgres Advanced Server and EDB Postgres Extended Server, see the EDB Transparent Data Encryption documentation.