Initial Secret/Token Exposed in Plain Text in the Data File

Classic secret 0 problem

The pg_tde extension works like a charm on data at-rest encryption for the data files related to the tables created with “USING pg_tde” - have some concerns about the lack of obfuscation/encryption for the token stored in the pg_tde_key_provider table though.

If the token itself is encrypted, then it would require user intervention to first decrypt the token to be usable by pgsql. The token file is intended to be protected at the OS level so that only the database process can access it. This is no different than storing your SSL cert key alongside the webserver config. You will want to integrate Vault for key storage if you are concerned about the security of the token file.

1 Like

Please also take a look at our support for external parameters: Use reference to external parameters - pg_tde documentation
Which allows you to store the vault secret key anywhere else, in any way, and retrieve it using a http call, or using a file stored elsewhere.