EN

Data Support Services Courses Products BLOG Over

Science

INSTALL POSTGRESQL 9.6 WITH TRANSPARENT DATA

ENCRYPTION

Posted on 2019-06-18 by Granthana Biswas

Cluster encryption can be used if the DBA cannot or does not rely on the le
system in terms of con dentiality. If this feature is enabled, PostgreSQL encrypts
data  (both relations and write-ahead log) when writing to disk, and decrypts it
when reading. The encryption is transparent, so the applications see no difference
between the encrypted and unencrypted clusters.

Privacy - Terms
 EN
Data Support Services Courses Products BLOG Over
Science

POSTGRESQL 9.6 WITH TDE ON UBUNTU

In this blog, we go through the basic steps used to install PostgreSQL 9.6 with Transparent Data
Encryption (TDE) on Ubuntu. You can download the patch for this here.
Create data directory for PostgreSQL:

Just for example, I am creating it at the default location:

 
sudo mkdir -p /usr/local/pgsql/data
sudo chown postgres:postgres /usr/local/pgsql/data
Install the libraries for readline, bison, ex, openssl, zlib and crypto:

 
sudo apt-get install libreadline8 libreadline-dev zlibc zlib1g-dev bison flex libssl-
dev openssl
Privacy - Terms
Run con gure from the source code directory: EN
Data Support Services Courses Products BLOG Over
Science
You can choose where all les will be installed by passing --prefix. Default is /usr/local/pgsql
which I am using here for example. Make sure you enable openssl by passing --with-openssl:
 
sudo ./configure --prefix=/usr/local/pgsql --with-openssl
sudo make
 
The above two commands should run without errors. Now we are ready to install:

 
sudo make install
 
We can now proceed to initialize the cluster. For that, let’s switch to the
postgres user:

 
sudo su - postgres
As a good practice, lets add the PostgreSQL binaries to PATH:

 
export PATH=$PATH:/usr/local/pgsql/bin

Privacy - Terms
 EN
Data Support Services Courses Products BLOG Over
Science

To create an encrypted cluster, use the -K option to pass the initdb utility. For
example:

 
initdb -D /usr/local/pgsql/data -K/usr/local/pgsql/keypass
 
Here /usr/local/pgsql/keypass is an executable le that returns either
encryption key or encryption password with the appropriate pre x. In this case, we
Privacy - Terms
are passing the encryption_password in 8-16 characters in a EN
simple executable BLOG
le
Data Support Services Courses Products Over
which outputs:  Science

 
encryption_password=<8-16_passphrase>
$ chmod 755 /usr/local/pgsql/keypass
$ cat /usr/local/pgsql/keypass
echo encryption_password=UrOs2k11CHiGo
 
Internally, PostgreSQL always uses the encryption key. If the encryption key command returns a
password then a key will be generated from the password using a built-in key derivation
function. Optionally, you can pass encryption_key as a hex encoded 256 bit key from any key store. 
 
$cat /usr/local/pgsql/keypass
echo encryption_key=<`sh /location/return-key.sh`>
 
On completion, initdb stores the encryption key command to postgresql.conf. Thus, the user can control
the cluster using pg_ctl without passing the encryption command  again and again.
 
If encryption is enabled, full_page_writes must not be turned off, otherwise the server refuses to start.
This is because the encryption introduces differences between data within a page, and therefore a
server crash during a disk write can result in more serious damage of the page than it would do without
encryption. The whole page needs to be retrieved from WAL in such a case to ensure reliable recovery.
vi postgresql.conf
full_page_writes = on
 
Once the PostgreSQL server is running, client applications should recognize no difference from an
unencrypted cluster, except that data_encryption con guration variable is  set.
Unlike pg_ctl, some of the server applications (for  example pg_waldump) do not need the -K because
they are not able to process the postgresql.conf le. 
 
Since WAL is encrypted, any replication solution based on log shipping assumes that all standby servers
are encrypted using the same key as their standby server. On the other hand,  logica -replication allows
replication between encrypted  and unencrypted clusters, or between clusters encrypted with different
keys.
 
To read more about the ongoing discussion on adding TDE in core PostgreSQL,
please check here.

Granthana Biswas
My passion for databases had me working as Oracle and Mysql DBA initially after graduation until I
was introduced to PostgreSQL 9 years ago. Ever since then I have been working extensively on
PostgreSQL database. I like the simplicity behind the PostgreSQL administration and the various
open source tools that add useful features to PostgreSQL.
What do you think?
9 Responses
Privacy - Terms

U t F L S i d
 Upvote Funny Love Surprised
EN
Data Support Services Courses Products BLOG Over
Science
Angry Sad

14 Comments Cybertec - The PostgreSQL Company Login


1

 Recommend 1 t Tweet f Share Sort by Best

Join the discussion…

LOG IN WITH

OR SIGN UP WITH DISQUS ?

Name

Tobias Ernst • 5 days ago

Thanks for this nice post.
Can you share any experiences running "transparent data
encryption-psql" as a docker container?

By the way: On postgres 12.1 the part with the keypass file
needs to be like this:

export ENCRYPTION_PASSWORD="echo {your-32-char-key}"

echo $ENCRYPTION_PASSWORD > /usr/local/pgsql/keypass
/usr/local/pgsql/bin/initdb -D /usr/local/pgsql/data -
K/usr/local/pgsql/keypass

Please tell me if I'm wrong, but encryption_password=key

didn't work. Moreover if the key is not exactly 32 characters
long, the error is either "key too short" or "key too long".

Kind regads.

Tobias
△ ▽ • Reply • Share ›

pedro pol • 12 days ago

Hi, when i run

initdb -D /usr/local/pgsql/data -K/usr/local/pgsql/keypass

I get the error:

running bootstrap script ... sh: 1: /usr/local/pgsql/keypass: not

found

keypass doesn't exist

I've compiled postgresql-9.6.12-tde.tar.gz

Privacy - Terms

make and make install were executed correctly but keypass

 y yp
not was created EN
Data Support Services Courses Products BLOG Over
Thanks in advance Science
△ ▽ • Reply • Share ›

Hans-Jürgen Schönig Staff > pedro pol • 12 days ago

hello. you have to write the script to provide the key. the
binary is not there by default.
△ ▽ • Reply • Share ›

pedro pol > Hans-Jürgen Schönig • 11 days ago

Thank you. Now I see that I was explained on
the blog. 🤦
△ ▽ • Reply • Share ›

A Eric • 2 months ago

Hi Team,
1) Is there a way to do the same with PostgreSQL 10 or 11
2) How can I verify that the data is well encrypted?

Thanks in advance
△ ▽ • Reply • Share ›

kranthi • 4 months ago

Hi Team,

is same TDE is can install for RHEL version or only Ubuntu?

please suggest.
△ ▽ • Reply • Share ›

kranthi • 4 months ago

I am getting this error when i tried..

-sh-4.2$ initdb -D /data/postgre/db2 -

K/data/postgre/key/keypass
initdb: invalid option -- 'K'
Try "initdb --help" for more information.
-sh-4.2$

can you suggest how you incrypted the postgres at instance

level.

Thanks in advance.
△ ▽ • Reply • Share ›

Hans-Jürgen Schönig Staff > kranthi • 4 months ago

i assume you are using "normal" PostgreSQL and not
our TDE version
△ ▽ • Reply • Share ›

kranthi > Hans-Jürgen Schönig • 4 months ago

yes, not TDE version, how to get it? and can't we
do instance encryption for normal postgres?
△ ▽ • Reply • Share ›

kranthi > kranthi • 4 months ago

Hi Hans,
Privacy - Terms

I have copied the software from

 I have copied the software from
https://www.cybertec-postgr... EN
Data Support Services Courses Products BLOG Over
Science
and i am trying to install it. can you have
have some installation steps.

thanks for your help in advance.

△ ▽ • Reply • Share ›

Ganeshan Guruswamy • 5 months ago

I was able to build and install postgres. But when i created a
table and inserted some rows, i was still able to do a select and
see all the plain data as a user of postgres db. I thought i
should see encrypted data meaning jumbled data When i do
Posted on 2019-06-18 by Granthana Biswas

HEADQUARTER
Cybertec Schönig & Schönig GmbH
Gröhrmühlgasse 26
A-2700 Wiener Neustadt
+43 (0) 2622 93022-0
o ce@cybertec.at
twitter.com/PostgresSupport
github.com/cybertec-postgresql

Our Services
• Administration
• Replication
• Consulting
• Database Design
• Support
• Migration
• Development
Newsletter
Check out previous newsletters!
Stay well informed about PostgreSQL by subscribing to our newsletter.
Your E-Mail

Ja, ich möchte regelmäßig Informationen über neue Produkte, aktuelle Angebote und Neuigkeiten rund ums
Thema PostgreSQL per E-Mail erhalten. Ich kann diese Zustimmung jederzeit widerrufen. Weitere Informationen
nden Sie in der Datenschutzerklärung. Yes, I would like to receive information about new products, current
offers and news about PostgreSQL via e-mail on a regular basis. Granting consent to receive Cybertec Newsletter
by electronic means is voluntary and can be withdrawn free of charge at any time. Further information can be
found in the privacy policy. Yes, I would like to receive information about new products, current offers and news
about PostgreSQL via e-mail on a regular basis. Granting consent to receive Cybertec Newsletter by electronic
Privacy - Terms
 means is voluntary and can be withdrawn free of charge at any time. Further information
EN
can be found in the
Data Support Services Courses Products BLOG Over
privacy policy. Science
© 2000–2020 Cybertec Schönig & Schönig GmbH
Contact
Data protection policy
Imprint
Terms and Conditions

Search for:

Privacy - Terms