Protect the data encryption key on an existing TDE cluster
If you want to enable key wrapping on TDE-enabled database clusters where key wrapping was previously disabled, update the encryption settings in the postgresql.conf
file.
Context
When you create a TDE-enabled database cluster, initdb generates a data encryption key and stores it in pg_encryption/key.bin
. Since this file is stored in plaintext, TDE requires an additional mechanism to secure the data encryption key. You normally configure the protection of the key as you initialize your TDE-enabled database cluster.
However, you can choose to disable key wrapping for your data encryption key. Although we don't recommend this setup, you might have left your key unprotected to facilitate managing the cluster for testing or demo purposes.
If you disabled key wrapping but later decide to enable a mechanism that secures your encryption key, you can enable it later by updating the encryption settings in the postgresql.conf
file.
Enable key wrapping with a passphrase
This example shows you how to add a passphrase-based protection mechanism or key wrapping to your data encryption key (key.bin
).
Store the passphrase in a file accessible by initdb named
pass.bin
:Important
This example stores the passphrase in plaintext, a method you should only use for testing or demonstration purposes. In production environments, don't store your passphrase in a file. See Using a passphrase for alternative methods.
Use OpenSSL to encrypt the existing
key.bin
data encryption key with the stored passphrase and save the encrypted file askey.bin.WRAP
:Create a backup of the unwrapped data encryption key named
key.bin.NOWRAP
in case you need to roll back to the original configuration:Replace the existing data encryption key with the wrapped version:
Create a backup of the existing configuration file named
postgresql.conf.NOWRAP
in case you need to roll back to the original configuration:Modify the
data_encryption_key_unwrap_command
value of thepostgresql.conf
file with the new command:Create a backup of the modified
postgresql.conf
file that includes the key wrapping namedpostgresql.conf.WRAP
:Restart your database cluster to populate the updated data encryption key configuration:
- On this page
- Context
- Enable key wrapping with a passphrase