The introduction of Transparent Data Encryption in EPAS 15 brings with it the need to store and manage the encryption keys used by the feature.
One supported option is to use an external key management system to manage the data encryption key. The tested and support key stores are:
- Amazon AWS Key Management Service (KMS)
- Google Cloud - Cloud Key Management Service
- HashiCorp Vault (KMIP Secrets Engine and Transit Secrets Engine)
- Microsoft Azure Key Vault
- Thales CipherTrust Manager
Further, while our example here uses EPAS 15, TDE is supported for all EPAS major versions from 15 onward.
The steps below illustrate how to use Microsoft Azure Key Vault to secure the TDE encryption key.
- Install the crypt utility using the below commands. Here, we have used RHEL 8 machine to perform the test:
curl -SLf# -o /usr/bin/crypt https://github.com/VirtusLab/crypt/releases/download/v0.2.6/crypt-linux-amd64
chmod +x /usr/bin/crypt
crypt --version
- Create a key vault in Azure environment:
az keyvault key create --vault-name pg-tde --name pg-tde-master-1
- Use the Azure key vault details of
pg-tde-master-1
key to wrap and unwrap the data encryption key. The unwrap and wrap command requires three details as mentioned below:
- VaultURL:
https://pg-tde.vault.azure.net
- Name of vault:
pg-tde-master-1
- Version: Get it from Azure key vault
- Export variables to wrap and unwrap the Azure key:
export PGDATAKEYWRAPCMD='crypt encrypt azure --vaultURL https://pg-tde.vault.azure.net --name pg-tde-master-1 --version fa2bf368449e432085318c5bf666754c --out %p'
export PGDATAKEYUNWRAPCMD='crypt decrypt azure --vaultURL https://pg-tde.vault.azure.net --name pg-tde-master-1 --version fa2bf368449e432085318c5bf666754c --in %p'
-
Install EPAS 15 packages
-
Initialize the EPAS 15 PGDATA directory with TDE enabled:
/usr/edb/as15/bin/initdb --data-encryption -D /var/lib/edb/as15/data
- Start DB using
pg_ctl
or usingsystemctl
services:
/usr/edb/as15/bin/pg_ctl -D /var/lib/edb/as15/data start
systemctl start edb-as-15.service
- Verify the setting:
grep data_encryption_key_unwrap_command /var/lib/edb/as15/data/postgresql.conf
Output should be:
data_encryption_key_unwrap_command = 'crypt decrypt azure --vaultURL https://pg-tde.vault.azure.net --name pg-tde-master-1 --version fa2bf368449e432085318c5bf666754c --in %p'
- Test the above steps locally before applying them to production. If you can start the database, then the setup is correct.