Using a key store
You can use the key store in an external key management system to manage the data encryption key. The tested and supported key stores are:
- Amazon AWS Key Management Service (KMS)
- Microsoft Azure Key Vault
- Google Cloud - Cloud Key Management Service
- HashiCorp Vault (KMIP Secrets Engine and Transit Secrets Engine)
- Thales CipherTrust Manager
- Fortanix Data Security Manager
- Entrust KeyControl
To use one of the available key stores, see the configuration examples.
AWS Key Management Service example
Create a key with AWS Key Management Service:
Use the aws kms
command with the alias/pg-tde-master-1
key to wrap and unwrap the data encryption key:
Note
Shell commands with pipes, as in this example, are problematic because the exit status of the pipe is that of the last command. A failure of the first, more interesting command isn't reported properly. Postgres handles this somewhat by recognizing whether the wrap or unwrap command wrote nothing. However, it's better to make this command more robust. For example, use the pipefail
option available in some shells or the mispipe
command available on some operating systems. Put more complicated commands into an external shell script or other program instead of defining them inline.
Azure Key Vault example
Create a key with Azure Key Vault:
Use the az keyvault key
command with the pg-tde-master-1
key to wrap and unwrap the data encryption key:
Note
Shell commands with pipes, as in this example, are problematic because the exit status of the pipe is that of the last command. A failure of the first, more interesting command isn't reported properly. Postgres handles this somewhat by recognizing whether the wrap or unwrap command wrote nothing. However, it's better to make this command more robust. For example, use the pipefail
option available in some shells or the mispipe
command available on some operating systems. Put more complicated commands into an external shell script or other program instead of defining them inline.
Google Cloud KMS example
Create a key with Google Cloud KMS:
Use the gcloud kms
command with the pg-tde-master-1
key to wrap and unwrap the data encryption key:
HashiCorp Vault Transit Secrets Engine example
Enable transit with HashiCorp Vault Transit Secrets Engine:
Create a key and give it a name:
Use the vault write
command with the pg-tde-master-1
key to wrap and unwrap the data encryption key:
Thales CipherTrust Manager example
See Using in the Implementing Thales CipherTrust Manager documentation for instructions on how to wrap the data encryption key with a key from the Thales key store.
Fortanix Data Security Manager example
See Using Fortanix Data Security Manager with EDB Postgres for TDE for a step-by-step configuration tutorial.
Entrust KeyControl integration guide
See the EDB Postgres and Entrust KeyControl integration guide for installation, configuration and usage instructions (including key rotation).