Professional Documents
Culture Documents
Cluster encryption can be used if the DBA cannot or does not rely on the le
system in terms of con dentiality. If this feature is enabled, PostgreSQL encrypts
data (both relations and write-ahead log) when writing to disk, and decrypts it
when reading. The encryption is transparent, so the applications see no difference
between the encrypted and unencrypted clusters.
Privacy - Terms
EN
Data Support Services Courses Products BLOG Over
Science
sudo apt-get install libreadline8 libreadline-dev zlibc zlib1g-dev bison flex libssl-
dev openssl
Privacy - Terms
Run con gure from the source code directory: EN
Data Support Services Courses Products BLOG Over
Science
You can choose where all les will be installed by passing --prefix. Default is /usr/local/pgsql
which I am using here for example. Make sure you enable openssl by passing --with-openssl:
sudo ./configure --prefix=/usr/local/pgsql --with-openssl
sudo make
The above two commands should run without errors. Now we are ready to install:
sudo make install
We can now proceed to initialize the cluster. For that, let’s switch to the
postgres user:
sudo su - postgres
As a good practice, lets add the PostgreSQL binaries to PATH:
export PATH=$PATH:/usr/local/pgsql/bin
Privacy - Terms
EN
Data Support Services Courses Products BLOG Over
Science
To create an encrypted cluster, use the -K option to pass the initdb utility. For
example:
initdb -D /usr/local/pgsql/data -K/usr/local/pgsql/keypass
Here /usr/local/pgsql/keypass is an executable le that returns either
encryption key or encryption password with the appropriate pre x. In this case, we
Privacy - Terms
are passing the encryption_password in 8-16 characters in a EN
simple executable BLOG
le
Data Support Services Courses Products Over
which outputs: Science
encryption_password=<8-16_passphrase>
$ chmod 755 /usr/local/pgsql/keypass
$ cat /usr/local/pgsql/keypass
echo encryption_password=UrOs2k11CHiGo
Internally, PostgreSQL always uses the encryption key. If the encryption key command returns a
password then a key will be generated from the password using a built-in key derivation
function. Optionally, you can pass encryption_key as a hex encoded 256 bit key from any key store.
$cat /usr/local/pgsql/keypass
echo encryption_key=<`sh /location/return-key.sh`>
On completion, initdb stores the encryption key command to postgresql.conf. Thus, the user can control
the cluster using pg_ctl without passing the encryption command again and again.
If encryption is enabled, full_page_writes must not be turned off, otherwise the server refuses to start.
This is because the encryption introduces differences between data within a page, and therefore a
server crash during a disk write can result in more serious damage of the page than it would do without
encryption. The whole page needs to be retrieved from WAL in such a case to ensure reliable recovery.
vi postgresql.conf
full_page_writes = on
Once the PostgreSQL server is running, client applications should recognize no difference from an
unencrypted cluster, except that data_encryption con guration variable is set.
Unlike pg_ctl, some of the server applications (for example pg_waldump) do not need the -K because
they are not able to process the postgresql.conf le.
Since WAL is encrypted, any replication solution based on log shipping assumes that all standby servers
are encrypted using the same key as their standby server. On the other hand, logica -replication allows
replication between encrypted and unencrypted clusters, or between clusters encrypted with different
keys.
To read more about the ongoing discussion on adding TDE in core PostgreSQL,
please check here.
Granthana Biswas
My passion for databases had me working as Oracle and Mysql DBA initially after graduation until I
was introduced to PostgreSQL 9 years ago. Ever since then I have been working extensively on
PostgreSQL database. I like the simplicity behind the PostgreSQL administration and the various
open source tools that add useful features to PostgreSQL.
What do you think?
9 Responses
Privacy - Terms
U t F L S i d
Upvote Funny Love Surprised
EN
Data Support Services Courses Products BLOG Over
Science
Angry Sad
1
LOG IN WITH
Name
By the way: On postgres 12.1 the part with the keypass file
needs to be like this:
Kind regads.
Tobias
△ ▽ • Reply • Share ›
Thanks in advance
△ ▽ • Reply • Share ›
Thanks in advance.
△ ▽ • Reply • Share ›
HEADQUARTER
Cybertec Schönig & Schönig GmbH
Gröhrmühlgasse 26
A-2700 Wiener Neustadt
+43 (0) 2622 93022-0
o ce@cybertec.at
twitter.com/PostgresSupport
github.com/cybertec-postgresql
Our Services
• Administration
• Replication
• Consulting
• Database Design
• Support
• Migration
• Development
Newsletter
Check out previous newsletters!
Stay well informed about PostgreSQL by subscribing to our newsletter.
Your E-Mail
Ja, ich möchte regelmäßig Informationen über neue Produkte, aktuelle Angebote und Neuigkeiten rund ums
Thema PostgreSQL per E-Mail erhalten. Ich kann diese Zustimmung jederzeit widerrufen. Weitere Informationen
nden Sie in der Datenschutzerklärung. Yes, I would like to receive information about new products, current
offers and news about PostgreSQL via e-mail on a regular basis. Granting consent to receive Cybertec Newsletter
by electronic means is voluntary and can be withdrawn free of charge at any time. Further information can be
found in the privacy policy. Yes, I would like to receive information about new products, current offers and news
about PostgreSQL via e-mail on a regular basis. Granting consent to receive Cybertec Newsletter by electronic
Privacy - Terms
means is voluntary and can be withdrawn free of charge at any time. Further information
EN
can be found in the
Data Support Services Courses Products BLOG Over
privacy policy. Science
© 2000–2020 Cybertec Schönig & Schönig GmbH
Contact
Data protection policy
Imprint
Terms and Conditions
Search for:
Privacy - Terms