diff --git a/advocacy_docs/supported-open-source/barman/single-server-streaming/step02-backup-setup.mdx b/advocacy_docs/supported-open-source/barman/single-server-streaming/step02-backup-setup.mdx index 4d3d0c842ec..61324e0157a 100644 --- a/advocacy_docs/supported-open-source/barman/single-server-streaming/step02-backup-setup.mdx +++ b/advocacy_docs/supported-open-source/barman/single-server-streaming/step02-backup-setup.mdx @@ -103,13 +103,18 @@ In order for Barman to connect via the user specified, we'll need to add the pas ```shell cat <<'EOF' >>~/.pgpass -pg:*:*:barman:example-password -pg:*:*:streaming_barman:example-password +pg:5432:*:barman:example-password +pg:5432:replication:streaming_barman:example-password EOF chmod 0600 ~/.pgpass ``` +Each line in the `.pgpass` file needs to follow below format: +``` +[db_host]:[db_port]:[db_name]:[db_user]:[db_password] +``` +The database name [db_name] for the barman streaming user must be `replication` -Note the change in permissions - this is necessary to protect the visibility of the file, and PostgreSQL will not use it unless permissions are restricted. +**Note the change in permissions** - this is necessary to protect the visibility of the file. PostgreSQL won't use it unless permissions are restricted. !!! Tip Further reading For more details on configuration files, see: [the Configuration section in the Barman guide](http://docs.pgbarman.org/release/2.12/#configuration). diff --git a/product_docs/docs/tde/15/key_stores.mdx b/product_docs/docs/tde/15/key_stores.mdx index 07ecf11c202..3e9ab249215 100644 --- a/product_docs/docs/tde/15/key_stores.mdx +++ b/product_docs/docs/tde/15/key_stores.mdx @@ -1,5 +1,7 @@ --- title: Securing the data encryption key +description: Learn how to secure your data with an encryption key. +deepToC: true --- @@ -61,16 +63,17 @@ postgres ALL = NOPASSWD: /usr/bin/systemd-ask-password You can use the key store in an external key management system to manage the data encryption key. The tested and supported key stores are: - Amazon AWS Key Management Service (KMS) +- Microsoft Azure Key Vault - Google Cloud - Cloud Key Management Service - HashiCorp Vault (KMIP Secrets Engine and Transit Secrets Engine) -- Microsoft Azure Key Vault - Thales CipherTrust Manager +- Fortanix Data Security Manager - +To use one of the available key stores, see the configuration examples. ### AWS Key Management Service example -Create a key with AWS Key Management Service: +Create a key with [AWS Key Management Service](https://docs.aws.amazon.com/kms/): ```shell aws kms create-key @@ -88,7 +91,7 @@ PGDATAKEYUNWRAPCMD='aws kms decrypt --key-id alias/pg-tde-master-1 --ciphertext- ### Azure Key Vault example -Create a key with Azure Key Vault: +Create a key with [Azure Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/): ```shell az keyvault key create --vault-name pg-tde --name pg-tde-master-1 @@ -105,7 +108,7 @@ PGDATAKEYUNWRAPCMD='az keyvault key decrypt --name pg-tde-master-1 --vault-name ### Google Cloud KMS example -Create a key with Google Cloud KMS: +Create a key with [Google Cloud KMS](https://cloud.google.com/kms/docs): ```shell gcloud kms keys create pg-tde-master-1 --location=global --keyring=pg-tde --purpose=encryption @@ -120,17 +123,29 @@ PGDATAKEYUNWRAPCMD='gcloud kms decrypt --plaintext-file=- --ciphertext-file=%p - ### HashiCorp Vault Transit Secrets Engine example +Enable transit with [HashiCorp Vault Transit Secrets Engine](https://developer.hashicorp.com/vault/docs): + ```shell -# enable once vault secrets enable transit +``` + +Create a key and give it a name: -# create a key (pick a name) +```shell vault write -f transit/keys/pg-tde-master-1 +``` + +Use the `vault write` command with the `pg-tde-master-1` key to wrap and unwrap the data encryption key: +``` PGDATAKEYWRAPCMD='base64 | vault write -field=ciphertext transit/encrypt/pg-tde-master-1 plaintext=- > %p' PGDATAKEYUNWRAPCMD='vault write -field=plaintext transit/decrypt/pg-tde-master-1 ciphertext=- < %p | base64 -d' ``` +### Fortanix Data Security Manager example + +See [Using Fortanix Data Security Manager with EDB Postgres for TDE](https://support.fortanix.com/docs/using-fortanix-data-security-manager-with-edb-postgres-for-tde) for a step-by-step configuration tutorial. + ## Key rotation To change the master key, manually run the unwrap command specifying the old key. Then feed the result into the wrap command specifying the new key. Equivalently, if the data key is protected by a passphrase, to change the passphrase, run the unwrap command using the old passphrase. Then feed the result into the wrap command using the new passphrase. You can perform these operations while the database server is running. The wrapped data key in the file is used only on startup. It isn't used while the server is running. diff --git a/src/constants/updates.js b/src/constants/updates.js index bf1b43ea125..815bf8966d7 100644 --- a/src/constants/updates.js +++ b/src/constants/updates.js @@ -7,7 +7,7 @@ export const updates = [ description: "LiveCompare 3.0 is now available with improved performance, easier to configure Oracle support, and enhanced documentation. ", url: "/livecompare/latest/", - moreUrl: "/livecompare/latest/rel_notes/3.0_rel_notes/", + moreUrl: "/livecompare/latest/rel_notes/3.0.1_rel_notes/", }, { title: "Trusted Postgres Architect 23.34", @@ -16,7 +16,6 @@ export const updates = [ "TPA 23.34 includes enhanced support for EFM, PEM and pgBouncer, and a new output plugin which improves readability of TPA progress.", url: "/tpa/latest/", moreUrl: "/tpa/latest/rel_notes/tpa_23.34_rel_notes/", - }, { title: "EDB Postgres Enterprise Manager 9.7",