Creating a database with TDE

Create a new EDB Postgres Advanced Server cluster with TDE enabled.

  • Set the environment variables to export the wrap and unwrap commands for encryption.
  • Initialize a server with encryption enabled.
  • Start the database server.
  • Verify TDE is enabled.

Worked example

This example uses EDB Postgres Advanced Server 16 running on a Linux platform. It uses OpenSSL to define the passphrase to wrap and unwrap the generated data encryption key.

  1. Set the data encryption key (wrap) and decryption (unwrap) environment variables:

    export PGDATAKEYWRAPCMD='openssl enc -e -aes-128-cbc -pbkdf2 -pass pass:<password> -out "%p"'
    export PGDATAKEYUNWRAPCMD='openssl enc -d -aes-128-cbc -pbkdf2 -pass pass:<password> -in "%p"'
    Note
    • If you're on Windows, you don't need the single quotes around the variable value.
  2. Initialize the cluster using initdb with encryption enabled. This command sets the data_encryption_key_unwrap_command parameter in the postgresql.conf file.

    /usr/edb/as16/bin/initdb --data-encryption -D /var/lib/edb/as16/data 
  3. Start the cluster:

    /usr/edb/as16/bin/pg_ctl -D /var/lib/edb/as16/data start
  4. Run grep on postgresql.conf to verify the setting of data_encryption_key_unwrap_command:

    grep data_encryption_key_unwrap_command /var/lib/edb/as16/data/postgresql.conf
    Output
    data_encryption_key_unwrap_command = 'openssl enc -d -aes-128-cbc -pass pass:<password> -in "%p"'
  5. Verify that data encryption is enabled.