Disabling the key wrapping

Suggest edits

If you don't want key wrapping, for example, for testing purposes, you can use either one of the following options to disable key wrapping:

You can set the wrap and unwrap commands to the special value - when initializing the cluster with initdb. For example, with the flags --key-wrap-command=- and --key-unwrap-command=-.
Or you can disable key wrapping when initializing the cluster with initdb by adding the flag --no-key-wrap.

With either one of the configurations, TDE generates encryption key files, but leaves them unprotected.

For intidb --data-encryption to run successfully, you have to either specify a wrapping/unwrapping command, set a fallback environment variable with wrapping/unwrapping commands, or disable key wrapping with the one of the previous mechanisms. Otherwise, the creation of an encrypted database cluster will fail.

Note

If you want to enable key wrapping on TDE-enabled database clusters where key wrapping was previously disabled, see Enabling a mechanism to protect the data encryption key.

← Prev

Using a key store

↑ Up

Securing the data encryption key

Rotating the data encryption key

Disabling the key wrapping

Note

← Prev

↑ Up

Next →