Enable encryption

I am following the steps in the latest docs to use the pg_tde extension to provide data encryption.

See: Run in Docker - Percona Distribution for PostgreSQL

I am using the Docker Image and I have created a Docker Compose file, as follows:

services:

  # FROM percona/percona-distribution-postgresql:17.5

  postgres:
    container_name: postgres
    build:
      context: ./services/postgres
      dockerfile: Dockerfile
      
    restart: unless-stopped
    command: >
      -c ssl=on 
      -c ssl_cert_file=/var/lib/postgresql/server.crt 
      -c ssl_key_file=/var/lib/postgresql/server.key
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${HAPI_FHIR_DB} -U $${POSTGRES_USER}"]
      start_period: 10s
      interval: 30s
      retries: 5
      timeout: 5s
    ports:
      - 5432:5432
    environment:
      POSTGRES_DB: ${HAPI_FHIR_DB}
      POSTGRES_USER: ${POSTGRES_USER}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
      PGSSLMODE: require
      ENABLE_PG_TDE: 1
    env_file:
      - ./.env
    volumes:
      - '${PWD}/certs/cert.pem:/var/lib/postgresql/server.crt'
      - '${PWD}/certs/key.pem:/var/lib/postgresql/server.key'
      - postgres_data:/var/lib/postgresql/data
    networks:
      - hapi_fhir_network

  ...

See: docker-compose.yml

I have made it as far as step 3:

hapi-fhir=# CREATE EXTENSION pg_tde;
CREATE EXTENSION
hapi-fhir=# \dx
                 List of installed extensions
  Name   | Version |   Schema   |         Description          
---------+---------+------------+------------------------------
 pg_tde  | 1.0-rc  | public     | pg_tde access method
 plpgsql | 1.0     | pg_catalog | PL/pgSQL procedural language
(2 rows)

However, I can’t make sense of the ‘Configure a key provider’ step 4:

SELECT pg_tde_add_key_provider_file('file-keyring','/tmp/pg_tde_test_local_keyring.per');

For testing and development, do I need to create a local key file (a File provider) and mount a volume (as per the sever.crt and server.key files) so the container can access to the key file.

What is the format of the local key file?

And the ‘Add a principal key’ step 5:

SELECT pg_tde_set_principal_key('test-db-master-key','file-keyring');

Not sure at all what this is?

Ok, so I found this test script: 001_basic.pl

And:

docker exec -it postgres bash

bash-5.1$ psql -U admin -d hapi-fhir
psql (17.5 - Percona Server for PostgreSQL 17.5.1)
Type "help" for help.

hapi-fhir=# \l
                                             List of databases
   Name    | Owner | Encoding  | Locale Provider | Collate | Ctype | Locale | ICU Rules | Access privileges
-----------+-------+-----------+-----------------+---------+-------+--------+-----------+-------------------
 hapi-fhir | admin | SQL_ASCII | libc            | C       | C     |        |           |
 postgres  | admin | SQL_ASCII | libc            | C       | C     |        |           |
 template0 | admin | SQL_ASCII | libc            | C       | C     |        |           | =c/admin         +
           |       |           |                 |         |       |        |           | admin=CTc/admin
 template1 | admin | SQL_ASCII | libc            | C       | C     |        |           | =c/admin         +
           |       |           |                 |         |       |        |           | admin=CTc/admin
(4 rows)

hapi-fhir=# CREATE EXTENSION pg_tde;
CREATE EXTENSION

hapi-fhir=# \dx
                 List of installed extensions
  Name   | Version |   Schema   |         Description
---------+---------+------------+------------------------------
 pg_tde  | 1.0-rc  | public     | pg_tde access method
 plpgsql | 1.0     | pg_catalog | PL/pgSQL procedural language
(2 rows)

hapi-fhir=# SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_001_basic.per');
 pg_tde_add_database_key_provider_file
---------------------------------------
                                     1
(1 row)

hapi-fhir=# SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault');
 pg_tde_set_key_using_database_key_provider
--------------------------------------------

(1 row)

Please update the docs:

Step 4 - Configure a key provider

PGTDE::psql($node, 'postgres',
	"SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_001_basic.per');"
);

Step 5 - Add (set) a principal key

SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault');

Hi,
Just to confirm, are you saying the issue has been resolved?

Hello Robin, thank you for making this post and providing feedback! We’re working on it right now, I’ll make sure to update the docs and I’ll let you know in a follow up when this issue is resolved.

Thank you again!

EDIT: @Robinyo the website has been updated with the correct parameters, thank you very much again! :slight_smile:

Dragos noted above that the documentation has been updated :slight_smile:

I used 001_basic.pl to work things out.

What worked for me:

1 Like