Skip to content

Clarify the assumptions about the key path provided #6980

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
+2 −2
Open

Clarify the assumptions about the key path provided #6980

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions product_docs/docs/tde/15/secure_key/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,13 +31,13 @@ With the wrap and unwrap commands you can:

## Configuring a wrapping and unwrapping command

After you choose a method to protect your key, you can create the wrapping/unwrapping commands. The configuration of these commands is left to the user, which allows you to tailor the setup to local requirements and integrate with existing key management software or similar.
After you choose a method to protect your key, you can create the wrapping/unwrapping commands. The configuration of these commands is left to the user, which allows you to tailor the setup to local requirements and integrate with existing key management software or similar. NOTE: the wrap and unwrap commands are assumed to run with the current working directory (CWD) set to the Postgres data directory; changing the working directory at run time can lead to unexpected results.

[Using a passphrase](passphrase) provides an example for wrapping and unwrapping commands using OpenSSL and a passphrase to secure the TDE data key. [Using a key store](key_store) provides an example for wrapping and unwrapping commands using an external key store key to protect the TDE data key.

When you initialize a server with TDE, the `initdb` command adds the `data_encryption_key_unwrap_command` parameter in the `postgresql.conf` configuration file. The string specified in `data_encryption_key_unwrap_command` can then unwrap (decrypt) the data encryption key.

The commands must contain a placeholder `%p`, which is replaced with the name of the file containing the key to unwrap. The command must print the unwrapped (decrypted) key to its standard output.
The commands must contain a placeholder `%p`, which is replaced with the path to the file containing the key to unwrap. Since the commands are assumed to run with the Postgres data directory as the current working directory, the key path name provided can be relative to the data directory. The command must print the unwrapped (decrypted) key to its standard output.

## Providing the wrapping and unwrapping commands to TDE

Expand Down