Top
Enterprise Postgres 17 Operation Guide
Chapter 6 Using Transparent Data Encryption with Key Management Systems as Keystores > 6.13 Reference Information for Linking Key Management Systems Using Sample Plugins
PreviousNext

6.13 Reference Information for Linking Key Management Systems Using Sample Plugins

Sample Plugin for AWS

See below for CLI configuration:

https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html

Sample Plugin for Azure

For key management services that support symmetric keys, see below.

https://learn.microsoft.com/en-us/azure/key-vault/keys/about-keys#key-types-and-protection-methods

For more information about Azure Key Management Services, see below.

https://learn.microsoft.com/en-us/azure/security/fundamentals/key-management#azure-key-management-services

For more information about service principals, see below.

https://learn.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli#4-sign-in-using-a-service-principal

Options that can be specified for AWS plugin

The following additional options can be specified for the plugin. These options can be specified as extra-args in the KMS connection information file.

--config config-file: Specify the path of the AWS CLI configuration file. If omitted, the default path of the AWS CLI will be used.

--credentials credentials-file: Specify the path to the AWS CLI authentication information file. If omitted, the default path of the AWS CLI will be used.

--profile profile-name: Specify the profile to use in the AWS CLI configuration file and credentials file. If omitted, the AWS CLI default profile will be used.

Options that can be specified for the Azure plugin

The following additional options can be specified for the plugin. These options can be specified as extra-args in the KMS connection information file.

--auth-method (password|cert): Specify the authentication method. (password: Password authentication, cert: Certificate-Based Authentication)

--user-id user-id: Specify the application ID.

--user-cert cert-file: For certificate-based authentication, specify the path to the certificate file.

--tenant tenant-id: Specify the tenant ID.

--algorithm algorithm: Specify the algorithm to be used.

Plugin Errors

If an error occurs in the operation of the plugin, a message will be output to the server log.

Verifying access to encryption keys

You can view information about the encryption key being used by executing the following command as the OS user running the Fujitsu Enterprise Postgres server.

  • When using the sample plug-in for AWS

    aws kms describe-key --key-id Key ID

  • When using the sample plug-in for Azure

    az keyvault key show --id Key ID

Notes on using the Azure sample plug-in

The service principal may need to sign in periodically. If the OS user who starts the Fujitsu Enterprise Postgres server is already signed in to Azure due to the environment settings, the credentials passed from Fujitsu Enterprise Postgres will not be used when using the plugin. They will only be used when periodic sign-in becomes necessary. If the KMS secret specified when opening the KMS connection information file or keystore is incorrect, the error will be detected when periodic sign-in becomes necessary, so check in advance that the specified information is correct.

PreviousNext
Copyright 2015-2024 Fujitsu Limited