diff --git a/contrib/pg_tde/documentation/docs/architecture/index.md b/contrib/pg_tde/documentation/docs/architecture/index.md index 0eff7081d4b07..b643a393fac95 100644 --- a/contrib/pg_tde/documentation/docs/architecture/index.md +++ b/contrib/pg_tde/documentation/docs/architecture/index.md @@ -175,7 +175,7 @@ For such situations, `pg_tde` also provides [command line tools](../command-line ## User interface -### Setting up `pg_tde` +### Setting up pg_tde To use `pg_tde`, users are required to: diff --git a/contrib/pg_tde/documentation/docs/command-line-tools/pg-waldump.md b/contrib/pg_tde/documentation/docs/command-line-tools/pg-waldump.md index b38441d58e640..a3ac50df4df02 100644 --- a/contrib/pg_tde/documentation/docs/command-line-tools/pg-waldump.md +++ b/contrib/pg_tde/documentation/docs/command-line-tools/pg-waldump.md @@ -4,10 +4,9 @@ To read encrypted WAL records, `pg_waldump` supports the following additional arguments: -* `keyring_path`: the directory where keyring configuration files for WAL are stored. These files include: - * `1664_keys` - * `1664_providers` +* `keyring_path` is the directory where the keyring configuration files for WAL are stored. The following files are included: + * `1664_keys` + * `1664_providers` !!! note - - `pg_waldump` will not decrypt WAL unless the `keyring_path` is set. + `pg_waldump` does not decrypt WAL unless the `keyring_path` is set. diff --git a/contrib/pg_tde/documentation/docs/faq.md b/contrib/pg_tde/documentation/docs/faq.md index 902e0a18b49fc..df80bea17f555 100644 --- a/contrib/pg_tde/documentation/docs/faq.md +++ b/contrib/pg_tde/documentation/docs/faq.md @@ -61,7 +61,7 @@ Thus, to protect your sensitive data, consider using TDE to encrypt it at the ta * Regular monitoring and auditing * Additional data protection for sensitive fields (e.g., application-layer encryption) -## How does `pg_tde` make my data safe? +## How does pg_tde make my data safe? `pg_tde` uses two keys to encrypt data: @@ -106,7 +106,7 @@ Consider encrypting only tables that store sensitive data. You can decide what t We advise encrypting the whole database only if all your data is sensitive, like PII, or if there is no other way to comply with data safety requirements. -## What cipher mechanisms are used by `pg_tde`? +## What cipher mechanisms are used by pg_tde? `pg_tde` currently uses a AES-CBC-128 algorithm. First the internal keys in the datafile are encrypted using the principal key with AES-CBC-128, then the file data itself is again encrypted using AES-CBC-128 with the internal key. @@ -141,7 +141,7 @@ After that, no database restart is required. When you create or alter the table If you lose encryption keys, especially, the principal key, the data is lost. That's why it's critical to back up your encryption keys securely and use the Key Management service for key management. -## Can I use `pg_tde` in a multi-tenant setup? +## Can I use pg_tde in a multi-tenant setup? Multi-tenancy is the type of architecture where multiple users, or tenants, share the same resource. It can be a database, a schema or an entire cluster. @@ -159,6 +159,6 @@ Since the encryption happens on the database level, it makes no difference for y To restore from an encrypted backup, you must have the same principal encryption key, which was used to encrypt files in your backup. -## I'm using OpenSSL in FIPS mode and need to use `pg_tde`. Does `pg_tde` comply with FIPS requirements? Can I use my own FIPS-mode OpenSSL library with `pg_tde`? +## I'm using OpenSSL in FIPS mode and need to use pg_tde. Does pg_tde comply with FIPS requirements? Can I use my own FIPS-mode OpenSSL library with pg_tde? Yes. `pg_tde` works with the FIPS-compliant version of OpenSSL, whether it is provided by your operating system or if you use your own OpenSSL libraries. If you use your own libraries, make sure they are FIPS certified. diff --git a/contrib/pg_tde/documentation/docs/functions.md b/contrib/pg_tde/documentation/docs/functions.md index 9ddf5fba3b80c..0a6a7afde256e 100644 --- a/contrib/pg_tde/documentation/docs/functions.md +++ b/contrib/pg_tde/documentation/docs/functions.md @@ -15,7 +15,7 @@ However, database owners can run the “view keys” and “set principal key” A key provider is a system or service responsible for managing encryption keys. `pg_tde` supports the following key providers: -* local file (not for production use) +* local file (not recommended for production use) * Hashicorp Vault / OpenBao * KMIP compatible providers @@ -26,7 +26,7 @@ Key provider management includes the following operations: * deleting a key provider, * listing key providers. -### Add a provider +### Add a key provider You can add a new key provider using the provided functions, which are implemented for each provider type. @@ -35,7 +35,7 @@ There are two functions to add a key provider: one function adds it for the curr * `pg_tde_add_database_key_provider_('provider-name', )` * `pg_tde_add_global_key_provider_('provider-name', )` -When you add a new provider, the provider name must be unqiue in the scope. But a local database provider and a global provider can have the same name. +When you add a new provider, the provider name must be unique in the scope. But a local database provider and a global provider can have the same name. ### Change an existing provider @@ -106,8 +106,6 @@ where: * `secret_token_path` is a path to the file that contains an access token with read and write access to the above mount point * **[optional]** `ca_path` is the path of the CA file used for SSL verification - - #### Adding or modifying KMIP providers The KMIP provider uses a remote KMIP server. @@ -167,7 +165,6 @@ where: !!! note The specified access parameters require permission to read and write keys at the server. - ### Adding or modifying local keyfile providers This provider manages database keys using a local keyfile. @@ -210,7 +207,6 @@ where: * `provider-name` is the name of the provider. You can specify any name, it's for you to identify the provider. * `/path/to/the/key/provider/data.file` is the path to the key provider file. - ### Delete a provider These functions delete an existing provider in the current database or in the global scope: diff --git a/contrib/pg_tde/documentation/docs/index.md b/contrib/pg_tde/documentation/docs/index.md index 13512dd28cb75..30bf17a431bd2 100644 --- a/contrib/pg_tde/documentation/docs/index.md +++ b/contrib/pg_tde/documentation/docs/index.md @@ -1,4 +1,4 @@ -# `pg_tde` Documentation +# pg_tde Documentation `pg_tde` is the open source, community driven and futureproof PostgreSQL extension that provides Transparent Data Encryption (TDE) to protect data at rest. `pg_tde` ensures that the data stored on disk is encrypted, and that no one can read it without the proper encryption keys, even if they gain access to the physical storage media.