Using a passphrase
You can protect the data key with a passphrase using the OpenSSL command line utility. The following is an example that sets up this protection:
This example wraps the randomly generated data key (done internally by initdb) by encrypting it with the AES-128-CBC (AESKW) algorithm. The encryption uses a key derived from a passphrase with the PBKDF2 key derivation function and a randomly generated salt. The terminal prompts for the passphrase. (See the openssl-enc manual page for details about these options. Available options vary across versions.) The initdb utility replaces %p
with the name of the file that stores the wrapped key.
The unwrap command performs the opposite operation. initdb doesn't need the unwrap operation. However, it stores it in the postgresql.conf
file of the initialized cluster, which uses it when it starts up.
The key wrap command receives the plaintext key on standard input and needs to put the wrapped key at the file system location specified by the %p
placeholder. The key unwrap command needs to read the wrapped key from the file system location specified by the %p
placeholder and write the unwrapped key to the standard output.
Utility programs like pg_rewind and pg_upgrade operate directly on the data directory or copies, such as backups. These programs also need to be told about the key unwrap command, depending on the circumstances. They each have command line options for this purpose.
Using environment variables to set wrap and unwrap commands
To simplify operations, you can also set the key wrap and unwrap commands in environment variables. These are accepted by all affected applications if you don't provide the corresponding command line options. For example:
Key unwrap commands that prompt for passwords on the terminal don't work when the server is started by pg_ctl or through service managers such as systemd. The server is detached from the terminal in those environments. If you want an interactive password prompt on server start, you need a more elaborate configuration that fetches the password using some indirect mechanism.
For example, for systemd, you can use systemd-ask-password
:
You also need an entry like in /etc/sudoers
:
Providing the passphrase through a file
Another way to simplify operations is to store the passphrase in plaintext, so you can reference the file containing the passphrase when securing the data encryption files.
Important
You should only use this method for testing or demonstration purposes. Don't store your passphrase in a plaintext file for production environments.
Store the passphrase in a file accessible by initdb named
pass.bin
:Reference the file that contains the passphrase when initializing the TDE-enabled database cluster using the
-pass file:<path_to_file>
flag: