After you configure all of the Hashicorp Vault certificates, you can use them with your EDB Postgres distribution.
Note
This content is intended for versions 15.2 and later of EDB Postgres Advanced Server and versions 15.2 and later of EDB Postgres Extended Server. Only these versions support transparent data encryption (TDE).
To implement Hashicorp Vault secrets engine with your EDB Postgres distribution, make sure that you have the following downloaded to your system:
edb-tde-kmip-client downloaded from your EDB Repos access
You need to copy all of the .pem files that you created in Configuring Hashicorp Vault—key.pem, cert.pem, and ca.pem—to the system where your EDB Postgres distribution is installed. For this example, all of the .pem files and the edb_tde_kmip_client.py program are in the /tmp/ directory.
Check prerequisites and download edb-tde-kmip-client
Ensure that you have the prerequisite software (Python and Pykmip) installed on your system.
To install the edb-tde-kmip-client on your system, assume root user and issue the install command for edb-tde-kmip-client. This example installs it on a RHEL8 rerver: dnf install edb-tde-kmip-client.
Some output is returned that looks like the following:
Create the pykmip.conf file
On your system where you have your EDB Postgres distribution, navigate to the directory where you saved your .pem files and the edb_tde_kmip_client.py client.
In that directory, create a file called pykmip.conf and input the following:
Host
Port
Keyfile
Certfile
Ca_certs
For example:
Note
For more information on the pykmip.conf file and its contents, see the PyKMIP documentation.
Create a key on the Hashicorp Vault secrets engine
On your system where you have your EDB Postgres distribution, assume root user to create the key on the Hashicorp Vault secrets engine.
Enter python3, and then input the following, making adjustments per your system setup and directory paths:
If this runs without error, then your key was successfully created. (You can't view keys that you create in Hashicorp Vault.)
Verify encryption and decryption
To ensure that the key you created can encrypt and decrypt data, run the following commands as the root user on the system with your EDB Postgres distribution:
If this command is successful, it produces the output of secret:
Perform initdb for the database
After you complete the previous steps, you can export the PGDATAKEYWRAPCMD and PGDATAKEYUNWRAPCMD to wrap and unwrap your encryption key and initialize your database.
Log in to your EDB Postgres distribution as the superuser. For our example, use the enterprisedb user: sudo su - enterprisedb.
Navigate to the /bin directory where your executables are. In this example, it's /usr/lib/edb-as/15/bin.
Enter export PGDATAKEYWRAPCMD='python3 /tmp/edb_tde_kmip_client.py encrypt --pykmip-config-file=/tmp/pykmip.conf --key-uid=key_ouput_here --out-file=%p --variant=pykmip’
Enter export PGDATAKEYUNWRAPCMD='python3 /tmp/edb_tde_kmip_client.py decrypt --pykmip-config-file=/tmp/pykmip.conf --key-uid=key_output_here --in-file=%p --variant=pykmip’
Perform your initdb per your database requirements, for example: ./initdb -D dd12 -y.
If all is successful, your output looks like this:
Start your database and navigate to your /data directory to view the postgresql.conf file. Make sure that your data_encryption_key_unwrap_command, which you set with your export PGDATAUNWRAPCMD, is present under the Authentication section.