PostgreSQL 12.x TDE is a version of PostgreSQL which supports transparent data encryption. In many practical business cases it is necessary to encrypt data on disk. PostgreSQL TDE has been designed to do exactly that in the most efficient way possible.
Here we will show you how to install PostgreSQL TDE from source on Linux and Mac OS X by explaining the following steps:
In order to download PostgreSQL TDE, you can go to our website and download the latest tar file. If you prefer to use the command line, you can also simply use “wget” to get the file. Here is an example:
1 |
<span style="font-weight: 300;">wget https://download.cybertec-postgresql.com/postgresql-12.3_TDE_1.0.tar.gz</span><span style="font-weight: 300;"> </span> |
Once you have downloaded the file, you can easily unpack it. Here is how it works:
1 |
<span style="font-weight: 300;">tar xvfz postgresql-12.3_TDE_1.0.tar.gz</span><span style="font-weight: 300;"> </span> |
A directory will be created containing the entire source code of PostgreSQL TDE. Enter the directory and execute the following command:
For Mac OS X:
1 2 3 4 5 6 |
<span style="font-weight: 300;">./configure --prefix=/Users/hs/pg12tde </span><span style="font-weight: 300;"> </span> <span style="font-weight: 300;"> --with-openssl </span> <span style="font-weight: 300;"> --with-perl </span> <span style="font-weight: 300;"> --with-python --with-ldap </span> <span style="font-weight: 300;"> CPPFLAGS="-I$(brew --prefix openssl)/include" </span> <span style="font-weight: 300;"> LDFLAGS="-L$(brew --prefix openssl)/lib"</span> |
⎟ Note: On OS X, it makes sense to install HomeBrew to make sure that you can install all the dependencies first to compile the code. It is the easiest way to get all the software to compile and run PostgreSQL.
For Linux:
On Linux, compiling PostgreSQL is pretty straight forward. Make sure that all the dependencies outlined in the documentation are met. Then run:
1 2 |
<span style="font-weight: 300;">./configure --prefix=/usr/local/pg12tde --with-openssl --with-perl </span> <span style="font-weight: 300;"> --with-python --with-ldap</span> |
If something goes wrong during configuring, it is very likely that you have missed a package.
Once the “configure” step has been executed successfully, you can easily compile the code:
1 2 3 |
<span style="font-weight: 300;">make install</span> <span style="font-weight: 300;">cd contrib</span> <span style="font-weight: 300;">make install</span> |
If you want to use more than one CPU core, you can add the -j flag to “make” to compile code in parallel.
Usually the code is compiled within 1 or 2 minutes.
PostgreSQL is now ready, and you can already prepare your server infrastructure by adjusting the $PATH environment variables so you can easily access the database.
Key management is an important aspect. To encrypt a database instance, a key to do so has to come from somewhere. In case of PostgreSQL TDE, the key is coming from an flexible external program. Ideally the key DOES NOT COME from the local filesystem but from remote secure keystore.
Before creating your database instance, you have to write some code to make sure that the key can be read by the database during startup and instance creation.
Here is the most simplistic example possible:
1 2 3 |
<span style="font-weight: 300;">% cat /somewhere/provide_key.sh #!/bin/sh echo 882fb7c12e80280fd664c69d2d636913</span> |
All you need is a program that prints the key to stdout – and that’s it! Make sure that PostgreSQL is able to execute this program:
1 |
<span style="font-weight: 300;"> % chmod +x /somewhere/provide_key.sh</span><span style="font-weight: 300;"> </span> |
⎟ Note: You don’t have to write a shell script – you can use any kind of executable such as a C, Go or Python.
Once the desired key management is in place, we can start to create the database instance. The beauty is that all it takes is a single line and PostgreSQL will do all the magic for you:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
<span style="font-weight: 300;"> % initdb -D /some_path/db12tde -K /somewhere/provide_key.sh</span><span style="font-weight: 300;"> </span> <span style="font-weight: 300;"> The files belonging to this database system will be owned by user "hs".</span> <span style="font-weight: 300;"> This user must also own the server process.</span> <span style="font-weight: 300;"> The database cluster will be initialized with locale "C".</span> <span style="font-weight: 300;"> The default database encoding has accordingly been set to "SQL_ASCII".</span> <span style="font-weight: 300;"> The default text search configuration will be set to "english".</span> <span style="font-weight: 300;"> Data page checksums are disabled.</span> <span style="font-weight: 300;"> Data encryption is enabled.</span> <span style="font-weight: 300;"> creating directory /some_path/db12tde ... ok</span> <span style="font-weight: 300;"> creating subdirectories ... ok</span> <span style="font-weight: 300;"> selecting dynamic shared memory implementation ... posix</span> <span style="font-weight: 300;"> selecting default max_connections ... 100</span> <span style="font-weight: 300;"> selecting default shared_buffers ... 128MB</span> <span style="font-weight: 300;"> selecting default time zone ... Europe/Berlin</span> <span style="font-weight: 300;"> creating configuration files ... ok</span> <span style="font-weight: 300;"> running bootstrap script ... ok</span> <span style="font-weight: 300;"> performing post-bootstrap initialization ... ok</span> <span style="font-weight: 300;"> syncing data to disk ... ok</span> <span style="font-weight: 300;"> initdb: warning: enabling "trust" authentication for local connections</span> <span style="font-weight: 300;"> You can change this by editing pg_hba.conf or using the option -A, or</span> <span style="font-weight: 300;"> --auth-local and --auth-host, the next time you run initdb.</span> <span style="font-weight: 300;"> Success. You can now start the database server using:</span> <span style="font-weight: 300;"> pg_ctl -D /some_path/db12tde -l logfile start</span> |
The difference between PostgreSQL and PostgreSQL TDE is that there is an optional -K option. Otherwise there is no difference. If you pass the name of your key management executable to initdb, all the magic will happen automatically. There is nothing more to do and you can normally start the database:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
<span style="font-weight: 300;"> % pg_ctl -D /some_path/db12tde start</span> <span style="font-weight: 300;"> 2020-01-29 11:54:19.131 CET [42193] LOG: starting PostgreSQL 12.3_TDE_1.0 on</span> <span style="font-weight: 300;"> x86_64-apple-darwin19.2.0, compiled by Apple clang version 11.0.0 (clang-1100.0.33.17),</span> <span style="font-weight: 300;"> 64-bit</span> <span style="font-weight: 300;"> 2020-01-29 11:54:19.132 CET [42193] LOG: listening on IPv6 address "::1", port 5432</span> <span style="font-weight: 300;"> 2020-01-29 11:54:19.132 CET [42193] LOG: listening on IPv4 address "127.0.0.1", port</span> <span style="font-weight: 300;"> 5432</span> <span style="font-weight: 300;"> 2020-01-29 11:54:19.133 CET [42193] LOG: listening on Unix socket "/tmp/.s.PGSQL.5432"</span> <span style="font-weight: 300;"> waiting for server to start.…</span> <span style="font-weight: 300;"> 2020-01-29 11:54:19.151 CET [42197] LOG: database system was shut down at 2020-01-29</span><span style="font-weight: 300;"> </span> <span style="font-weight: 300;"> 11:54:05 CET</span> <span style="font-weight: 300;"> 2020-01-29 11:54:19.154 CET [42193] LOG: database system is ready to accept connections</span> <span style="font-weight: 300;"> done</span> <span style="font-weight: 300;"> server started</span> |
There is no need for additional parameters. Everything has been wired for you in the background already.
You can download the installation guide “INSTALLING POSTGRESQL 12.X TDE FROM SOURCE” here:
Download TDE installation guide >>
Please report any bugs directly to bugs-tde@cybertec.at!
The reason why you don’t need additional parameters is that initdb has already added the configuration to postgresql.conf for you:
1 2 |
<span style="font-weight: 300;"> % grep encryption_key postgresql.conf</span><span style="font-weight: 300;"> </span> <span style="font-weight: 300;"> encryption_key_command = '/somewhere/provide_key.sh'</span> |
postgresql.conf already has the information to fetch the key on startup. The advantage is that you don’t have to adapt existing scripts. The only change you have to make is to add one more parameter to initdb. Et voilá – you are done.
IS MY DATABASE SERVER ENCRYPTED?
The most obvious and most common question at this point is: “Is that really everything? How can I figure out that my server is really encrypted?” To do that, you can make use of pg_controldata, which is a program extracting useful information out of your database server. Keep in mind that pg_controldata has NOTHING to do with TDE – it is there anyway.
In case of PostgreSQL TDE, pg_controldata produces slightly more information than usual:
1 2 3 |
<span style="font-weight: 300;"> % pg_controldata /some_where/ | grep -i encryp</span> <span style="font-weight: 300;"> Data encryption: on</span> <span style="font-weight: 300;"> Data encryption fingerprint: 740A905130FE614CE0BE36B612157A09</span> |
As you can see, encryption is on and your data is secure.
However, if you don’t have access to the machine via SSH, there is a second way to see if data is encrypted:
1 2 3 4 5 |
<span style="font-weight: 300;"> test=# SHOW data_encryption;</span> <span style="font-weight: 300;"> data_encryption</span><span style="font-weight: 300;"> </span> <span style="font-weight: 300;"> ----------------</span> <span style="font-weight: 300;"> on</span> <span style="font-weight: 300;"> (1 row)</span> |
PostgreSQL TDE offers an additional variable. data_encryption on / off will also tell you whether the database has been encrypted or not.
If you want to learn more, we recommend visiting our website on a regular basis and follow us on Twitter (@PostgresSupport). We will keep you updated on recent developments. Also keep in mind that CYBERTEC provides commercial 24×7 support for PostgreSQL TDE.
If you have any questions feel free to contact us!
+43 (0) 2622 93022-0
office@cybertec.at
You need to load content from reCAPTCHA to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from Facebook. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from X. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More Information