53.1. Setting up the encryption key
Prev UpChapter 53. Transparent Data EncryptionHome Next

53.1. Setting up the encryption key #

To encrypt a database instance, a key has to come from somewhere. In case of TDE, the key is coming from an flexible external program. Ideally the key DOES NOT COME from the local filesystem but from remote secure keystore.

Before creating your database instance, you have to write some code to make sure that the key can be read by the database during startup and instance creation.

Here is the most simplistic example possible: 

                % cat /somewhere/provide_key.sh
                #!/bin/sh
                echo 882fb7c12e80280fd664c69d2d636913

All you need is a program that prints the key to stdout – and that’s it! Make sure that PostgreSQL is able to execute this program: 

                % chmod +x /somewhere/provide_key.sh

Prev Up Next
Chapter 53. Transparent Data Encryption Home 53.2. Creating an encrypted database