Top
Enterprise Postgres 17 Operation Guide
Chapter 6 Using Transparent Data Encryption with Key Management Systems as Keystores > 6.2 Setting the Master Encryption Key
PreviousNext

6.2 Setting the Master Encryption Key

To use transparent data encryption, you must create a keystore and set the master encryption key.

  1. Load the shared_preload_libraries parameter in postgresql.conf with the library name "tde _ kms"

    shared_preload_libraries = 'tde_kms'

  2. When using an adapter, register the adapter as a plug-in. Specify the directory where the plugin is stored in the tde_kms.plugin_path parameter in postgresql.conf. Store your plugins in this directory. If you want to use the samples, copy them into this directory. The plugin file requires execution privilege for the OS user that starts the Fujitsu Enterprise Postgres server.

    tde_kms.plugin_path = '/home/fsepuser/plugin/'

  3. To share the tablespace encryption key, set the tde_kms.enable_shared_dek parameter in postgresql.conf to "on".

    tde_kms.enable_shared_dek = on

  4. Set the tde_kms.kms_conninfo_file parameter in postgresql.conf to a file that contains key management system connection information. Refer to "Appendix A Parameters" for information.

    Example for the key management system connection information file kms_conninfo.conf
    tde_kms.kms_conninfo_file = 'kms_conninfo.conf'
    Example of key management system connection information file

    For type kmip

    kmip   mykmipsvr  mykmipsvr.example.com   5696   cert   sslcert=postgres.crt   sslkey=postgres.key sslrootcert=root.crt

    For type custom (When using the AWS sample plugin)

    custom   mykms   aw-kms-plugin.sh   arg=--profile arg=user1

    For type custom (When using the Azure sample plugin)

    custom   mykms   az-kms-plugin.sh  kms-secret-obf=password.ksc arg=--auth-method arg=password arg=--user-id arg=ApplicationId arg=--tenant arg=TenantId arg=--algorithm arg=A256GCM

  5. Execute a CREATE EXTENSION statement to install the extension.

    CREATE EXTENSION tde_kms;

  6. To enable transparent data encryption, call the pgx_declare_external_master_key function to declare the encryption key to use as the master encryption key. Specify a key ID as an identifier to identify the encryption key. Refer to "B.2.3 pgx_declare_external_master_key" for information on the pgx_declare_external_master_key function.

    SELECT pgx_declare_external_master_key( kms_name => 'mykmipsvr', key_id => 'a0eebc99-9c0b-0000-0000-000000000000', sslpassphrase => 'mykmippassphrase' );

PreviousNext
Copyright 2015-2024 Fujitsu Limited