Enable encryption

PostgreSQL PG_TDE – Transparent Data Encryption (TDE)
1

I am following the steps in the latest docs to use the pg_tde extension to provide data encryption.

See: Run in Docker - Percona Distribution for PostgreSQL

I am using the Docker Image and I have created a Docker Compose file, as follows:

services:

  # FROM percona/percona-distribution-postgresql:17.5

  postgres:
    container_name: postgres
    build:
      context: ./services/postgres
      dockerfile: Dockerfile
      
    restart: unless-stopped
    command: >
      -c ssl=on 
      -c ssl_cert_file=/var/lib/postgresql/server.crt 
      -c ssl_key_file=/var/lib/postgresql/server.key
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${HAPI_FHIR_DB} -U $${POSTGRES_USER}"]
      start_period: 10s
      interval: 30s
      retries: 5
      timeout: 5s
    ports:
      - 5432:5432
    environment:
      POSTGRES_DB: ${HAPI_FHIR_DB}
      POSTGRES_USER: ${POSTGRES_USER}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
      PGSSLMODE: require
      ENABLE_PG_TDE: 1
    env_file:
      - ./.env
    volumes:
      - '${PWD}/certs/cert.pem:/var/lib/postgresql/server.crt'
      - '${PWD}/certs/key.pem:/var/lib/postgresql/server.key'
      - postgres_data:/var/lib/postgresql/data
    networks:
      - hapi_fhir_network

  ...

See: docker-compose.yml

I have made it as far as step 3:

hapi-fhir=# CREATE EXTENSION pg_tde;
CREATE EXTENSION
hapi-fhir=# \dx
                 List of installed extensions
  Name   | Version |   Schema   |         Description          
---------+---------+------------+------------------------------
 pg_tde  | 1.0-rc  | public     | pg_tde access method
 plpgsql | 1.0     | pg_catalog | PL/pgSQL procedural language
(2 rows)

However, I can’t make sense of the ‘Configure a key provider’ step 4:

SELECT pg_tde_add_key_provider_file('file-keyring','/tmp/pg_tde_test_local_keyring.per');

For testing and development, do I need to create a local key file (a File provider) and mount a volume (as per the sever.crt and server.key files) so the container can access to the key file.

What is the format of the local key file?

And the ‘Add a principal key’ step 5:

SELECT pg_tde_set_principal_key('test-db-master-key','file-keyring');

Not sure at all what this is?

2

Ok, so I found this test script: 001_basic.pl

And:

docker exec -it postgres bash

bash-5.1$ psql -U admin -d hapi-fhir
psql (17.5 - Percona Server for PostgreSQL 17.5.1)
Type "help" for help.

hapi-fhir=# \l
                                             List of databases
   Name    | Owner | Encoding  | Locale Provider | Collate | Ctype | Locale | ICU Rules | Access privileges
-----------+-------+-----------+-----------------+---------+-------+--------+-----------+-------------------
 hapi-fhir | admin | SQL_ASCII | libc            | C       | C     |        |           |
 postgres  | admin | SQL_ASCII | libc            | C       | C     |        |           |
 template0 | admin | SQL_ASCII | libc            | C       | C     |        |           | =c/admin         +
           |       |           |                 |         |       |        |           | admin=CTc/admin
 template1 | admin | SQL_ASCII | libc            | C       | C     |        |           | =c/admin         +
           |       |           |                 |         |       |        |           | admin=CTc/admin
(4 rows)

hapi-fhir=# CREATE EXTENSION pg_tde;
CREATE EXTENSION

hapi-fhir=# \dx
                 List of installed extensions
  Name   | Version |   Schema   |         Description
---------+---------+------------+------------------------------
 pg_tde  | 1.0-rc  | public     | pg_tde access method
 plpgsql | 1.0     | pg_catalog | PL/pgSQL procedural language
(2 rows)

hapi-fhir=# SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_001_basic.per');
 pg_tde_add_database_key_provider_file
---------------------------------------
                                     1
(1 row)

hapi-fhir=# SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault');
 pg_tde_set_key_using_database_key_provider
--------------------------------------------

(1 row)

Please update the docs:

Step 4 - Configure a key provider

PGTDE::psql($node, 'postgres',
	"SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_001_basic.per');"
);

Step 5 - Add (set) a principal key

SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault');
4

Hi,
Just to confirm, are you saying the issue has been resolved?

5

Hello Robin, thank you for making this post and providing feedback! We’re working on it right now, I’ll make sure to update the docs and I’ll let you know in a follow up when this issue is resolved.

Thank you again!

EDIT: @Robinyo the website has been updated with the correct parameters, thank you very much again! :slight_smile:

6

Dragos noted above that the documentation has been updated :slight_smile:

I used 001_basic.pl to work things out.

What worked for me:

1 Like