Creating a database with TDE

Create a new EDB Postgres Advanced Server cluster with TDE enabled.

Set the environment variables to export the wrap and unwrap commands for encryption.
Initialize a server with encryption enabled.
Start the database server.
Verify TDE is enabled.

Worked example

This example uses EDB Postgres Advanced Server 15 running on a Linux platform. It uses openssl to define the passphrase to wrap and unwrap the generated data encryption key.

Set the data encryption key (wrap) and decryption (unwrap) environment variables:
```
export PGDATAKEYWRAPCMD='openssl enc -e -aes-128-cbc -pass pass:ok -out %p'
export PGDATAKEYUNWRAPCMD='openssl enc -d -aes-128-cbc -pass pass:ok -in %p'
```
Note
- If you are on Windows you don't need the single quotes around the variable value.
- Ensure you replace ok with the passphrase you want to use to wrap the data encryption key.
Initialize the cluster using initdb with encryption enabled. This command sets the data_encryption_key_unwrap_command parameter in the postgresql.conf file.
```
/usr/edb/as15/bin/initdb --data-encryption -D /var/lib/edb/as15/data 
```

Start the cluster:

/usr/edb/as15/bin/pg_ctl -D /var/lib/edb/as15/data start

Run grep on postgresql.conf to verify the setting of data_encryption_key_unwrap_command:

grep data_encryption_key_unwrap_command /var/lib/edb/as15/data/postgresql.conf

Output

data_encryption_key_unwrap_command = 'openssl enc -d -aes-128-cbc -pass pass:ok -in %p'

Verify that data encryption is enabled.

On this page
Worked example

← Prev

Tutorials

↑ Up

Tutorials

Enabling TDE on an existing EDB Postgres Advanced Server

Creating a database with TDE

Worked example

Note

← Prev

↑ Up

Next →