From 1c29a727b3bc0767e190ad299cdc3f0696473366 Mon Sep 17 00:00:00 2001 From: gvasquezvargas Date: Fri, 27 Sep 2024 15:18:54 +0200 Subject: [PATCH 1/5] Added Fortanix as available TDE key store --- product_docs/docs/tde/15/key_stores.mdx | 29 +++++++++++++++++++------ 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/product_docs/docs/tde/15/key_stores.mdx b/product_docs/docs/tde/15/key_stores.mdx index 07ecf11c202..3e9ab249215 100644 --- a/product_docs/docs/tde/15/key_stores.mdx +++ b/product_docs/docs/tde/15/key_stores.mdx @@ -1,5 +1,7 @@ --- title: Securing the data encryption key +description: Learn how to secure your data with an encryption key. +deepToC: true --- @@ -61,16 +63,17 @@ postgres ALL = NOPASSWD: /usr/bin/systemd-ask-password You can use the key store in an external key management system to manage the data encryption key. The tested and supported key stores are: - Amazon AWS Key Management Service (KMS) +- Microsoft Azure Key Vault - Google Cloud - Cloud Key Management Service - HashiCorp Vault (KMIP Secrets Engine and Transit Secrets Engine) -- Microsoft Azure Key Vault - Thales CipherTrust Manager +- Fortanix Data Security Manager - +To use one of the available key stores, see the configuration examples. ### AWS Key Management Service example -Create a key with AWS Key Management Service: +Create a key with [AWS Key Management Service](https://docs.aws.amazon.com/kms/): ```shell aws kms create-key @@ -88,7 +91,7 @@ PGDATAKEYUNWRAPCMD='aws kms decrypt --key-id alias/pg-tde-master-1 --ciphertext- ### Azure Key Vault example -Create a key with Azure Key Vault: +Create a key with [Azure Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/): ```shell az keyvault key create --vault-name pg-tde --name pg-tde-master-1 @@ -105,7 +108,7 @@ PGDATAKEYUNWRAPCMD='az keyvault key decrypt --name pg-tde-master-1 --vault-name ### Google Cloud KMS example -Create a key with Google Cloud KMS: +Create a key with [Google Cloud KMS](https://cloud.google.com/kms/docs): ```shell gcloud kms keys create pg-tde-master-1 --location=global --keyring=pg-tde --purpose=encryption @@ -120,17 +123,29 @@ PGDATAKEYUNWRAPCMD='gcloud kms decrypt --plaintext-file=- --ciphertext-file=%p - ### HashiCorp Vault Transit Secrets Engine example +Enable transit with [HashiCorp Vault Transit Secrets Engine](https://developer.hashicorp.com/vault/docs): + ```shell -# enable once vault secrets enable transit +``` + +Create a key and give it a name: -# create a key (pick a name) +```shell vault write -f transit/keys/pg-tde-master-1 +``` + +Use the `vault write` command with the `pg-tde-master-1` key to wrap and unwrap the data encryption key: +``` PGDATAKEYWRAPCMD='base64 | vault write -field=ciphertext transit/encrypt/pg-tde-master-1 plaintext=- > %p' PGDATAKEYUNWRAPCMD='vault write -field=plaintext transit/decrypt/pg-tde-master-1 ciphertext=- < %p | base64 -d' ``` +### Fortanix Data Security Manager example + +See [Using Fortanix Data Security Manager with EDB Postgres for TDE](https://support.fortanix.com/docs/using-fortanix-data-security-manager-with-edb-postgres-for-tde) for a step-by-step configuration tutorial. + ## Key rotation To change the master key, manually run the unwrap command specifying the old key. Then feed the result into the wrap command specifying the new key. Equivalently, if the data key is protected by a passphrase, to change the passphrase, run the unwrap command using the old passphrase. Then feed the result into the wrap command using the new passphrase. You can perform these operations while the database server is running. The wrapped data key in the file is used only on startup. It isn't used while the server is running. From 900a4b07981dece4988326bc22550c44953f5479 Mon Sep 17 00:00:00 2001 From: Sergio Borghese Date: Fri, 20 Oct 2023 15:59:48 +0200 Subject: [PATCH 2/5] Update step02-backup-setup.mdx fix to .pgpass template - using `*` instead of `replication` does not work as we receive the following errors: ``` connection to server at "192.168.1.20", port 5432 failed: fe_sendauth: no password supplied ``` --- .../single-server-streaming/step02-backup-setup.mdx | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/advocacy_docs/supported-open-source/barman/single-server-streaming/step02-backup-setup.mdx b/advocacy_docs/supported-open-source/barman/single-server-streaming/step02-backup-setup.mdx index 4d3d0c842ec..74678ec655d 100644 --- a/advocacy_docs/supported-open-source/barman/single-server-streaming/step02-backup-setup.mdx +++ b/advocacy_docs/supported-open-source/barman/single-server-streaming/step02-backup-setup.mdx @@ -103,13 +103,18 @@ In order for Barman to connect via the user specified, we'll need to add the pas ```shell cat <<'EOF' >>~/.pgpass -pg:*:*:barman:example-password -pg:*:*:streaming_barman:example-password +pg:5432:*:barman:example-password +pg:5432:replication:streaming_barman:example-password EOF chmod 0600 ~/.pgpass ``` +Each line in the `.pgpass` file need to follow below format: +``` +[db_host]:[db_port]:[db_name]:[db_user]:[db_password] +``` +Also note that the database name [db_name] for the barman streaming user MUST be `replication` -Note the change in permissions - this is necessary to protect the visibility of the file, and PostgreSQL will not use it unless permissions are restricted. +**Note the change in permissions** - this is necessary to protect the visibility of the file, and PostgreSQL will not use it unless permissions are restricted. !!! Tip Further reading For more details on configuration files, see: [the Configuration section in the Barman guide](http://docs.pgbarman.org/release/2.12/#configuration). From 37f78c5bc1500028cc1ea23129e4757189ce22f3 Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan <126472455+djw-m@users.noreply.github.com> Date: Tue, 1 Oct 2024 17:31:46 +0100 Subject: [PATCH 3/5] Update advocacy_docs/supported-open-source/barman/single-server-streaming/step02-backup-setup.mdx MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Martín Marqués --- .../barman/single-server-streaming/step02-backup-setup.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/advocacy_docs/supported-open-source/barman/single-server-streaming/step02-backup-setup.mdx b/advocacy_docs/supported-open-source/barman/single-server-streaming/step02-backup-setup.mdx index 74678ec655d..80d37f7c1f8 100644 --- a/advocacy_docs/supported-open-source/barman/single-server-streaming/step02-backup-setup.mdx +++ b/advocacy_docs/supported-open-source/barman/single-server-streaming/step02-backup-setup.mdx @@ -108,7 +108,7 @@ pg:5432:replication:streaming_barman:example-password EOF chmod 0600 ~/.pgpass ``` -Each line in the `.pgpass` file need to follow below format: +Each line in the `.pgpass` file needs to follow below format: ``` [db_host]:[db_port]:[db_name]:[db_user]:[db_password] ``` From ff2a8bd392cf1b7c91de0e764790070f3f961589 Mon Sep 17 00:00:00 2001 From: gvasquezvargas Date: Wed, 2 Oct 2024 09:45:35 +0200 Subject: [PATCH 4/5] Applied suggestions from Adam's review --- .../barman/single-server-streaming/step02-backup-setup.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/advocacy_docs/supported-open-source/barman/single-server-streaming/step02-backup-setup.mdx b/advocacy_docs/supported-open-source/barman/single-server-streaming/step02-backup-setup.mdx index 80d37f7c1f8..61324e0157a 100644 --- a/advocacy_docs/supported-open-source/barman/single-server-streaming/step02-backup-setup.mdx +++ b/advocacy_docs/supported-open-source/barman/single-server-streaming/step02-backup-setup.mdx @@ -112,9 +112,9 @@ Each line in the `.pgpass` file needs to follow below format: ``` [db_host]:[db_port]:[db_name]:[db_user]:[db_password] ``` -Also note that the database name [db_name] for the barman streaming user MUST be `replication` +The database name [db_name] for the barman streaming user must be `replication` -**Note the change in permissions** - this is necessary to protect the visibility of the file, and PostgreSQL will not use it unless permissions are restricted. +**Note the change in permissions** - this is necessary to protect the visibility of the file. PostgreSQL won't use it unless permissions are restricted. !!! Tip Further reading For more details on configuration files, see: [the Configuration section in the Barman guide](http://docs.pgbarman.org/release/2.12/#configuration). From b7ab5c70521ca434e3f6062702f0cd62b6501671 Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Thu, 3 Oct 2024 16:58:54 +0100 Subject: [PATCH 5/5] Fix bad link less junk Signed-off-by: Dj Walker-Morgan --- src/constants/updates.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/constants/updates.js b/src/constants/updates.js index bf1b43ea125..815bf8966d7 100644 --- a/src/constants/updates.js +++ b/src/constants/updates.js @@ -7,7 +7,7 @@ export const updates = [ description: "LiveCompare 3.0 is now available with improved performance, easier to configure Oracle support, and enhanced documentation. ", url: "/livecompare/latest/", - moreUrl: "/livecompare/latest/rel_notes/3.0_rel_notes/", + moreUrl: "/livecompare/latest/rel_notes/3.0.1_rel_notes/", }, { title: "Trusted Postgres Architect 23.34", @@ -16,7 +16,6 @@ export const updates = [ "TPA 23.34 includes enhanced support for EFM, PEM and pgBouncer, and a new output plugin which improves readability of TPA progress.", url: "/tpa/latest/", moreUrl: "/tpa/latest/rel_notes/tpa_23.34_rel_notes/", - }, { title: "EDB Postgres Enterprise Manager 9.7",