Refer to "5.1 Protecting Data Using Encryption". The following describes the differences from the transparent data encryption operation in the file-based keystore described in "5.1 Protecting Data Using Encryption".
Each tablespace has a tablespace encryption key that encrypts/decrypts all data in it. Tablespace encryption keys are stored encrypted with the master encryption key.
Use an encryption key stored in a key management system as a common master encryption key for your database cluster. Fujitsu Enterprise Postgres refers to the key management system as a keystore for master encryption keys.
Two types of key management systems are available:
kmip
It is a key management system that can be used using a protocol called KMIP (Key Management Interoperability Protocol) standardized by OASIS (Organization for the Advancement of Structured Information Standards).
custom
It is a key management system that cooperates using an adapter that converts the request format without adopting the KMIP protocol.
A sample of the adapter plugin required for this type is stored in the following location under the Fujitsu Enterprise Postgres installation directory.
For Amazon Web Services (AWS)
<Install directory>/share/aw-kms-plugin.sh.sample
For Microsoft Azure (Azure)
<Install directory>/share/az-kms-plugin.sh.sample
If you use the provided AWS sample plug-in as is, the following conditions apply.
Item | Contens |
|---|---|
Available services | By using the AWS adapter, you can use encryption keys on the Key Management Service (KMS) provided by AWS. There are no regional restrictions as long as the region is supported by AWS KMS. |
Available AWS KMS keys | The key spec for a KMS key (key spec) must be a symmetric cryptographic key. Asymmetric cryptographic keys cannot be used. Also, the KMS key usage (key usage) must be ENCRYPT_DECRYPT. |
Required permissions | The user accessing AWS KMS must be permitted to perform the following operations for the KMS key to be used.
|
Key ID | The following can be specified as the key ID.
|
Dependent package | Install AWS CLI on the Fujitsu Enterprise Postgres server. For details, refer to the AWS CLI manual. In addition, the following packages are required.
The plugin is executed by the OS user who starts the Fujitsu Enterprise Postgres server. You must set the PATH or modify the script file so that the OS user can execute the aws command and jq command. |
CLI configuration | Configure the CLI so that aws commands executed by the OS user that starts the Fujitsu Enterprise Postgres server can access the AWS key management service without entering additional credentials. Configuring in this way allows keystores that use this plugin to be opened without entering a KMS secret. |
If you use the provided Azure sample plug-in as is, the following conditions apply.
Item | Contens |
|---|---|
Available services | The Azure adapter allows you to use any key management service that is accessible through the Azure Key Vault API and that can use symmetric keys. |
Available keys | Symmetric key is available. |
Available algorithms | The following algorithms are available for encryption/decryption operations.
|
Key operations | The user accessing the Azure key management service must be permitted to perform the following operations for the key to be used.
|
Key ID | The following can be specified as the key ID.
|
Dependent package | Install Azure CLI on the Fujitsu Enterprise Postgres server. For details, refer to the Azure CLI manual. In addition, the following packages are required.
The plugin is executed by the OS user who starts the Fujitsu Enterprise Postgres server. You must set the PATH or modify the script file so that the OS user can execute the az command and jq command. |
Sign in | Sign in to Azure using a service principal. You need the application ID, tenant ID, and credentials to sign in. The available authentication methods are password authentication and certificate-based authentication. |
Opening the Keystore | To open the keystore, you must specify the following as the KMS secret:
|
See
Refer to "Key Management System Requirements" in the Installation and Setup Guide for Server for the key management system requirements that can be used with Fujitsu Enterprise Postgres.
When using an adapter to link with a key management system, encryption and decryption of the tablespace encryption key using the master encryption key are performed on the key management system side.
Tablespace encryption keys can be shared within a database cluster so that you do not need to access the key management system each time you want to use the tablespace encryption key.
The cost of encryption/decryption using the master encryption key becomes an issue in the following cases:
Multiple connections to the database access encrypted tablespaces
Connections accessing encrypted tablespaces are repeated and connection pooling is disabled
Key IDs are used as identifiers to identify encryption keys stored on the key management system.
Information that identifies the encryption key on the key management system, and is unique within the key management system. The correspondence between the encryption key substance (byte string) and the key ID does not change throughout the life cycle of the encryption key.
The name of the identifier differs depending on each key management system, but in this feature, such information is called the key ID.
After starting operation of the transparent data encryption function, the key management system to be used can be changed to another key management system.
