Oracle Key Vault as KMIP server for pg_tde

PostgreSQL PG_TDE – Transparent Data Encryption (TDE)
1

Hi all,

I am in the process to setup Oracle Key Vault (KMIP 1.1 compliant) as KMS for pg_tde
The documentation at KMIP Configuration - Percona Transparent Data Encryption for PostgreSQL has an error in the sequence of parameters for pg_tde_add_global_key_provider_kmip as the server certificate should be the last parameter as documented in Functions - Percona Transparent Data Encryption for PostgreSQL

That task is completed:

test=# SELECT pg_tde_add_database_key_provider_kmip(
‘OKV’,
‘10.0.0.107’,
5696,
‘/var/lib/pgsql/pg_okv/ssl/cert.pem’,
‘/var/lib/pgsql/pg_okv/ssl/key.pem’,
‘/var/lib/pgsql/pg_okv/ssl/CA.pem’
);

SELECT pg_tde_add_global_key_provider_kmip(
‘OKV’,
‘10.0.0.107’,
5696,
‘/var/lib/pgsql/pg_okv/ssl/cert.pem’,
‘/var/lib/pgsql/pg_okv/ssl/key.pem’,
‘/var/lib/pgsql/pg_okv/ssl/CA.pem’
);
pg_tde_add_database_key_provider_kmip

(1 row)

pg_tde_add_global_key_provider_kmip

(1 row)

Next step would be to create/use a key but this fails and in the trace of Key Vault I can only see a locate happening and nothing else.

First I tried (before creating a symmetric key in OKV to run
test=# SELECT pg_tde_create_key_using_database_key_provider(
‘percona-key’,
‘OKV’
);
ERROR: KMIP server reported error on register symmetric key: -1

In OKV I only see a “locate” happening and no attempt to create a key.

Next I created a key named in OKV and then when I run “set key” I see this:
test=# SELECT pg_tde_set_key_using_database_key_provider(
‘percona’,
‘OKV’
);
WARNING: KMIP server LOCATEd key, but GET failed with -2
ERROR: could not successfully query key provider “OKV”

And again in the OKV side only a LOCATE can be found.

Am I missing a step?
How can I debug this on the pg_tde side?

Kind regards,
Frank van der Borden

2

Hi @fborden ,

Thank you for reaching out!

From the steps shared, what I can tell is that the steps looks fine. Note, you do not need to create the key manually on the OKV. The pg_tde_create_key_using_database_key_provider() should create the key on the Oracle Key Vault. Once the key is created, then using the set_key function, we use the key.

To investigate this further, I would like to setup OKV. Could you please share the steps on how to set it up on Linux.

Secondly, if you could share the server logs, it would help in debugging.

Thanks,
Mohit J

3

Hello Mohit,

I am in CET TZ. Can we do a zoom tomorrow to debug this?

4

Hello all,

the problem is resolved. I will create a youtube recording of the configuration.
the issue was that I had to create a key that is “Extractable” in OKV. After this I was able to use

SELECT pg_tde_set_key_using_database_key_provider(
‘percona’,
‘OKV’);

without the need to do the create_key command from PG.

Now
test=# CREATE TABLE albums (
album_id INTEGER GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
artist_id INTEGER,
title TEXT NOT NULL,
released DATE NOT NULL
) USING tde_heap;
CREATE TABLE

and

test=# SELECT pg_tde_is_encrypted(‘albums’);
pg_tde_is_encrypted

t

do show that it is working.

5

Thank you @fborden for the update. Glad to know that you were able to setup TDE successfully. However, I would still like to know if create_key function did not create the key on OKV ?

Keep using PostgreSQL and happy to assist!