Protect the data encryption key on an existing TDE cluster

If you want to enable key wrapping on TDE-enabled database clusters where key wrapping was previously disabled, update the encryption settings in the postgresql.conf file.

Context

When you create a TDE-enabled database cluster, initdb generates a data encryption key and stores it in pg_encryption/key.bin. Since this file is stored in plaintext, TDE requires an additional mechanism to secure the data encryption key. You normally configure the protection of the key as you initialize your TDE-enabled database cluster.

However, you can choose to disable key wrapping for your data encryption key. Although we don't recommend this setup, you might have left your key unprotected to facilitate managing the cluster for testing or demo purposes.

If you disabled key wrapping but later decide to enable a mechanism that secures your encryption key, you can enable it later by updating the encryption settings in the postgresql.conf file.

Enable key wrapping with a passphrase

This example shows you how to add a passphrase-based protection mechanism or key wrapping to your data encryption key (key.bin).

  1. Store the passphrase in a file accessible by initdb named pass.bin:

    Important

    This example stores the passphrase in plaintext, a method you should only use for testing or demonstration purposes. In production environments, don't store your passphrase in a file. See Using a passphrase for alternative methods.

    echo "<passphrase>" > /var/lib/postgresql/pass.bin
  2. Use OpenSSL to encrypt the existing key.bin data encryption key with the stored passphrase and save the encrypted file as key.bin.WRAP:

    cat $PGDATA/pg_encryption/key.bin | openssl enc -e -aes-128-cbc -pbkdf2 -pass file:/var/lib/postgresql/pass.bin -out $PGDATA/pg_encryption/key.bin.WRAP
  3. Create a backup of the unwrapped data encryption key named key.bin.NOWRAP in case you need to roll back to the original configuration:

    cp $PGDATA/pg_encryption/key.bin $PGDATA/pg_encryption/key.bin.NOWRAP
  4. Replace the existing data encryption key with the wrapped version:

    cp $PGDATA/pg_encryption/key.bin.WRAP $PGDATA/pg_encryption/key.bin
  5. Create a backup of the existing configuration file named postgresql.conf.NOWRAP in case you need to roll back to the original configuration:

    cp $PGDATA/postgresql.conf $PGDATA/postgresql.conf.NOWRAP
  6. Modify the data_encryption_key_unwrap_command value of the postgresql.conf file with the new command:

    sed -i "s|data_encryption_key_unwrap_command.*|data_encryption_key_unwrap_command = 'openssl enc -d -aes-128-cbc -pbkdf2 -pass file:/var/lib/postgresql/pass.bin -in \"%p\"'|" $PGDATA/postgresql.conf
  7. Create a backup of the modified postgresql.conf file that includes the key wrapping named postgresql.conf.WRAP:

    cp $PGDATA/postgresql.conf $PGDATA/postgresql.conf.WRAP
  8. Restart your database cluster to populate the updated data encryption key configuration:

    pg_ctl start