initdb TDE options

To enable encryption, use the following options with the initdb command.

Option: --data-encryption or -y

Adds transparent data encryption when initializing a database server.

Supported values

You can optionally specify an AES key length in the form of --data-encryption[=KEYLEN].

Valid values are 128 and 256. The default is 128.

Option: --key-wrap-command=<command>

Provides the wrapping/encryption command to protect the data encryption key.

Supported values

<command> is customizable, but it must contain the placeholder %p. See Wrapping commands for examples and information. See Securing the data encryption key for an overview of available wrapping mechanisms.

If you don't use this option, TDE falls back on the environment variable PGDATAKEYWRAPCMD.

If you don't want to apply a wrapping mechanism, use -.

Option: --key-unwrap-command=<command>

Provides the unwrapping/decryption command to access the data encryption key.

Supported values

<command> is customizable, but it must contain the placeholder %p. See Configuring wrapping commands for examples and information.

If you don't use this option, TDE falls back on the environment variable PGDATAKEYUNWRAPCMD.

If you didn't apply a wrapping mechanism, use - .

Option: --no-key-wrap

Disables the key wrapping. The data encryption key is instead stored in plaintext in the data directory. (This option is a shortcut for setting both the wrap and the unwrap command to the special value -.)

Note

Using this option isn't secure. Only use it for testing purposes.

If you select data encryption and don't specify this option, then you must provide a key wrap and unwrap command. Otherwise, initdb terminates with an error.

Supported values

The --no-key-wrap option doesn't require specifying any values.

Option: --copy-key-from=<file>

Copies an existing data encryption key from the provided location, for example, when reusing a key from an existing server during an upgrade with pg_upgrade.

Supported values

<file> is the directory to the existing key. Normally, encryption keys are stored in pg_encryption/key.bin.