Securing EPAS TDE Encryption Keys using Azure Key Vault

Anup kumar Gupta
Anup kumar Gupta

The introduction of Transparent Data Encryption in EPAS 15 brings with it the need to store and manage the encryption keys used by the feature.

One supported option is to use an external key management system to manage the data encryption key. The tested and support key stores are:

  • Amazon AWS Key Management Service (KMS)
  • Google Cloud - Cloud Key Management Service
  • HashiCorp Vault (KMIP Secrets Engine and Transit Secrets Engine)
  • Microsoft Azure Key Vault
  • Thales CipherTrust Manager

Further, while our example here uses EPAS 15, TDE is supported for all EPAS major versions from 15 onward.

The steps below illustrate how to use Microsoft Azure Key Vault to secure the TDE encryption key.

  1. Install the crypt utility using the below commands. Here, we have used RHEL 8 machine to perform the test:
curl -SLf# -o /usr/bin/crypt https://github.com/VirtusLab/crypt/releases/download/v0.2.6/crypt-linux-amd64
chmod +x /usr/bin/crypt
crypt --version
  1. Create a key vault in Azure environment:
az keyvault key create --vault-name pg-tde --name pg-tde-master-1
  1. Use the Azure key vault details of pg-tde-master-1 key to wrap and unwrap the data encryption key. The unwrap and wrap command requires three details as mentioned below:
  • VaultURL: https://pg-tde.vault.azure.net
  • Name of vault: pg-tde-master-1
  • Version: Get it from Azure key vault
  1. Export variables to wrap and unwrap the Azure key:
export PGDATAKEYWRAPCMD='crypt encrypt azure --vaultURL https://pg-tde.vault.azure.net --name pg-tde-master-1 --version fa2bf368449e432085318c5bf666754c --out %p'
export PGDATAKEYUNWRAPCMD='crypt decrypt azure --vaultURL https://pg-tde.vault.azure.net --name pg-tde-master-1 --version fa2bf368449e432085318c5bf666754c --in %p'
  1. Install EPAS 15 packages

  2. Initialize the EPAS 15 PGDATA directory with TDE enabled:

/usr/edb/as15/bin/initdb --data-encryption -D /var/lib/edb/as15/data
  1. Start DB using pg_ctl or using systemctl services:
/usr/edb/as15/bin/pg_ctl -D /var/lib/edb/as15/data start
systemctl start edb-as-15.service
  1. Verify the setting:
grep data_encryption_key_unwrap_command /var/lib/edb/as15/data/postgresql.conf

Output should be:

data_encryption_key_unwrap_command = 'crypt decrypt azure --vaultURL https://pg-tde.vault.azure.net --name pg-tde-master-1 --version fa2bf368449e432085318c5bf666754c --in %p'
  1. Test the above steps locally before applying them to production. If you can start the database, then the setup is correct.

Was this article helpful?

0 out of 0 found this helpful