I am following the steps in the latest docs to use the pg_tde
extension to provide data encryption.
See: Run in Docker - Percona Distribution for PostgreSQL
I am using the Docker Image and I have created a Docker Compose file, as follows:
services:
# FROM percona/percona-distribution-postgresql:17.5
postgres:
container_name: postgres
build:
context: ./services/postgres
dockerfile: Dockerfile
restart: unless-stopped
command: >
-c ssl=on
-c ssl_cert_file=/var/lib/postgresql/server.crt
-c ssl_key_file=/var/lib/postgresql/server.key
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${HAPI_FHIR_DB} -U $${POSTGRES_USER}"]
start_period: 10s
interval: 30s
retries: 5
timeout: 5s
ports:
- 5432:5432
environment:
POSTGRES_DB: ${HAPI_FHIR_DB}
POSTGRES_USER: ${POSTGRES_USER}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
PGSSLMODE: require
ENABLE_PG_TDE: 1
env_file:
- ./.env
volumes:
- '${PWD}/certs/cert.pem:/var/lib/postgresql/server.crt'
- '${PWD}/certs/key.pem:/var/lib/postgresql/server.key'
- postgres_data:/var/lib/postgresql/data
networks:
- hapi_fhir_network
...
See: docker-compose.yml
I have made it as far as step 3:
hapi-fhir=# CREATE EXTENSION pg_tde;
CREATE EXTENSION
hapi-fhir=# \dx
List of installed extensions
Name | Version | Schema | Description
---------+---------+------------+------------------------------
pg_tde | 1.0-rc | public | pg_tde access method
plpgsql | 1.0 | pg_catalog | PL/pgSQL procedural language
(2 rows)
However, I can’t make sense of the ‘Configure a key provider’ step 4:
SELECT pg_tde_add_key_provider_file('file-keyring','/tmp/pg_tde_test_local_keyring.per');
For testing and development, do I need to create a local key file (a File provider) and mount a volume (as per the sever.crt and server.key files) so the container can access to the key file.
What is the format of the local key file?
And the ‘Add a principal key’ step 5:
SELECT pg_tde_set_principal_key('test-db-master-key','file-keyring');
Not sure at all what this is?