diff --git a/ci_scripts/setup-keyring-servers.sh b/ci_scripts/setup-keyring-servers.sh index 962f859244339..4a9a5aba52ab2 100755 --- a/ci_scripts/setup-keyring-servers.sh +++ b/ci_scripts/setup-keyring-servers.sh @@ -15,6 +15,7 @@ wget https://raw.githubusercontent.com/OpenKMIP/PyKMIP/refs/heads/master/example cd .. echo $SCRIPT_DIR +rm -f /tmp/pykmip.db pykmip-server -f "$SCRIPT_DIR/../contrib/pg_tde/pykmip-server.conf" -l /tmp/kmip-server.log & CLUSTER_INFO=$(mktemp) diff --git a/ci_scripts/tde_setup.sql b/ci_scripts/tde_setup.sql index fd084c96462bd..dfce0a1b08c5d 100644 --- a/ci_scripts/tde_setup.sql +++ b/ci_scripts/tde_setup.sql @@ -1,4 +1,6 @@ CREATE SCHEMA IF NOT EXISTS tde; CREATE EXTENSION IF NOT EXISTS pg_tde SCHEMA tde; +\! rm -f '/tmp/pg_tde_test_keyring.per' SELECT tde.pg_tde_add_database_key_provider_file('reg_file-vault', '/tmp/pg_tde_test_keyring.per'); +SELECT tde.pg_tde_create_key_using_database_key_provider('test-db-key', 'reg_file-vault'); SELECT tde.pg_tde_set_key_using_database_key_provider('test-db-key', 'reg_file-vault'); diff --git a/ci_scripts/tde_setup_global.sql b/ci_scripts/tde_setup_global.sql index 364b34c5f603a..f096285643a83 100644 --- a/ci_scripts/tde_setup_global.sql +++ b/ci_scripts/tde_setup_global.sql @@ -1,7 +1,9 @@ CREATE SCHEMA tde; CREATE EXTENSION IF NOT EXISTS pg_tde SCHEMA tde; +\! rm -f '/tmp/pg_tde_test_keyring.per' SELECT tde.pg_tde_add_global_key_provider_file('reg_file-global', '/tmp/pg_tde_test_keyring.per'); +SELECT tde.pg_tde_create_key_using_global_key_provider('server-key', 'reg_file-global'); SELECT tde.pg_tde_set_server_key_using_global_key_provider('server-key', 'reg_file-global'); ALTER SYSTEM SET pg_tde.wal_encrypt = on; ALTER SYSTEM SET default_table_access_method = 'tde_heap'; diff --git a/contrib/pg_tde/expected/access_control.out b/contrib/pg_tde/expected/access_control.out index de266f17e88d0..2dd199677cfa1 100644 --- a/contrib/pg_tde/expected/access_control.out +++ b/contrib/pg_tde/expected/access_control.out @@ -1,3 +1,4 @@ +\! rm -f '/tmp/pg_tde_test_keyring.per' CREATE EXTENSION IF NOT EXISTS pg_tde; SELECT pg_tde_add_database_key_provider_file('local-file-provider', '/tmp/pg_tde_test_keyring.per'); pg_tde_add_database_key_provider_file @@ -8,6 +9,8 @@ SELECT pg_tde_add_database_key_provider_file('local-file-provider', '/tmp/pg_tde CREATE USER regress_pg_tde_access_control; SET ROLE regress_pg_tde_access_control; -- should throw access denied +SELECT pg_tde_create_key_using_database_key_provider('test-db-key', 'local-file-provider'); +ERROR: permission denied for function pg_tde_create_key_using_database_key_provider SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'local-file-provider'); ERROR: permission denied for function pg_tde_set_key_using_database_key_provider SELECT pg_tde_delete_key(); @@ -34,11 +37,12 @@ GRANT EXECUTE ON FUNCTION pg_tde_add_database_key_provider(TEXT, TEXT, JSON) TO GRANT EXECUTE ON FUNCTION pg_tde_add_global_key_provider(TEXT, TEXT, JSON) TO regress_pg_tde_access_control; GRANT EXECUTE ON FUNCTION pg_tde_change_database_key_provider(TEXT, TEXT, JSON) TO regress_pg_tde_access_control; GRANT EXECUTE ON FUNCTION pg_tde_change_global_key_provider(TEXT, TEXT, JSON) TO regress_pg_tde_access_control; +GRANT EXECUTE ON FUNCTION pg_tde_create_key_using_global_key_provider(TEXT, TEXT) TO regress_pg_tde_access_control; GRANT EXECUTE ON FUNCTION pg_tde_delete_database_key_provider(TEXT) TO regress_pg_tde_access_control; GRANT EXECUTE ON FUNCTION pg_tde_delete_global_key_provider(TEXT) TO regress_pg_tde_access_control; -GRANT EXECUTE ON FUNCTION pg_tde_set_default_key_using_global_key_provider(TEXT, TEXT, BOOLEAN) TO regress_pg_tde_access_control; -GRANT EXECUTE ON FUNCTION pg_tde_set_key_using_global_key_provider(TEXT, TEXT, BOOLEAN) TO regress_pg_tde_access_control; -GRANT EXECUTE ON FUNCTION pg_tde_set_server_key_using_global_key_provider(TEXT, TEXT, BOOLEAN) TO regress_pg_tde_access_control; +GRANT EXECUTE ON FUNCTION pg_tde_set_default_key_using_global_key_provider(TEXT, TEXT) TO regress_pg_tde_access_control; +GRANT EXECUTE ON FUNCTION pg_tde_set_key_using_global_key_provider(TEXT, TEXT) TO regress_pg_tde_access_control; +GRANT EXECUTE ON FUNCTION pg_tde_set_server_key_using_global_key_provider(TEXT, TEXT) TO regress_pg_tde_access_control; GRANT EXECUTE ON FUNCTION pg_tde_delete_default_key() TO regress_pg_tde_access_control; SET ROLE regress_pg_tde_access_control; SELECT pg_tde_add_database_key_provider_file('local-file-provider', '/tmp/pg_tde_test_keyring.per'); @@ -53,6 +57,8 @@ SELECT pg_tde_change_global_key_provider_file('global-file-provider', '/tmp/pg_t ERROR: must be superuser to modify key providers SELECT pg_tde_delete_global_key_provider('global-file-provider'); ERROR: must be superuser to modify key providers +SELECT pg_tde_create_key_using_global_key_provider('key1', 'global-file-provider'); +ERROR: must be superuser to access global key providers SELECT pg_tde_set_key_using_global_key_provider('key1', 'global-file-provider'); ERROR: must be superuser to access global key providers SELECT pg_tde_set_default_key_using_global_key_provider('key1', 'global-file-provider'); diff --git a/contrib/pg_tde/expected/alter_index.out b/contrib/pg_tde/expected/alter_index.out index dc3c181acdd49..a4a627e7b97da 100644 --- a/contrib/pg_tde/expected/alter_index.out +++ b/contrib/pg_tde/expected/alter_index.out @@ -1,3 +1,4 @@ +\! rm -f '/tmp/pg_tde_test_keyring.per' CREATE EXTENSION IF NOT EXISTS pg_tde; SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per'); pg_tde_add_database_key_provider_file @@ -5,6 +6,12 @@ SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyr (1 row) +SELECT pg_tde_create_key_using_database_key_provider('test-db-key','file-vault'); + pg_tde_create_key_using_database_key_provider +----------------------------------------------- + +(1 row) + SELECT pg_tde_set_key_using_database_key_provider('test-db-key','file-vault'); pg_tde_set_key_using_database_key_provider -------------------------------------------- diff --git a/contrib/pg_tde/expected/cache_alloc.out b/contrib/pg_tde/expected/cache_alloc.out index 86e060fae585a..bbd27168097fc 100644 --- a/contrib/pg_tde/expected/cache_alloc.out +++ b/contrib/pg_tde/expected/cache_alloc.out @@ -1,3 +1,4 @@ +\! rm -f '/tmp/pg_tde_test_keyring.per' -- Just checking there are no mem debug WARNINGs during the cache population CREATE EXTENSION IF NOT EXISTS pg_tde; SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per'); @@ -6,6 +7,12 @@ SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyr (1 row) +SELECT pg_tde_create_key_using_database_key_provider('test-db-key','file-vault'); + pg_tde_create_key_using_database_key_provider +----------------------------------------------- + +(1 row) + SELECT pg_tde_set_key_using_database_key_provider('test-db-key','file-vault'); pg_tde_set_key_using_database_key_provider -------------------------------------------- diff --git a/contrib/pg_tde/expected/change_access_method.out b/contrib/pg_tde/expected/change_access_method.out index fd95f35489c89..3d582af882507 100644 --- a/contrib/pg_tde/expected/change_access_method.out +++ b/contrib/pg_tde/expected/change_access_method.out @@ -1,3 +1,4 @@ +\! rm -f '/tmp/pg_tde_test_keyring.per' CREATE EXTENSION IF NOT EXISTS pg_tde; SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per'); pg_tde_add_database_key_provider_file @@ -5,6 +6,12 @@ SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_key (1 row) +SELECT pg_tde_create_key_using_database_key_provider('test-db-key', 'file-vault'); + pg_tde_create_key_using_database_key_provider +----------------------------------------------- + +(1 row) + SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault'); pg_tde_set_key_using_database_key_provider -------------------------------------------- diff --git a/contrib/pg_tde/expected/create_database.out b/contrib/pg_tde/expected/create_database.out index 83944edd3e3e5..ca31af47b1e3e 100644 --- a/contrib/pg_tde/expected/create_database.out +++ b/contrib/pg_tde/expected/create_database.out @@ -1,3 +1,5 @@ +\! rm -f '/tmp/template_provider_global.per' +\! rm -f '/tmp/template_provider.per' CREATE EXTENSION IF NOT EXISTS pg_tde; CREATE DATABASE template_db; SELECT current_database() AS regress_database @@ -10,6 +12,12 @@ SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/template_provid (1 row) +SELECT pg_tde_create_key_using_database_key_provider('test-db-key', 'file-vault'); + pg_tde_create_key_using_database_key_provider +----------------------------------------------- + +(1 row) + SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault'); pg_tde_set_key_using_database_key_provider -------------------------------------------- @@ -29,6 +37,12 @@ SELECT pg_tde_add_global_key_provider_file('global-file-vault','/tmp/template_pr (1 row) +SELECT pg_tde_create_key_using_global_key_provider('default-key', 'global-file-vault'); + pg_tde_create_key_using_global_key_provider +--------------------------------------------- + +(1 row) + SELECT pg_tde_set_default_key_using_global_key_provider('default-key', 'global-file-vault'); pg_tde_set_default_key_using_global_key_provider -------------------------------------------------- diff --git a/contrib/pg_tde/expected/default_principal_key.out b/contrib/pg_tde/expected/default_principal_key.out index 6c5c92509a66e..a95337077e718 100644 --- a/contrib/pg_tde/expected/default_principal_key.out +++ b/contrib/pg_tde/expected/default_principal_key.out @@ -1,3 +1,4 @@ +\! rm -f '/tmp/pg_tde_regression_default_key.per' CREATE EXTENSION IF NOT EXISTS pg_tde; CREATE EXTENSION IF NOT EXISTS pg_buffercache; SELECT pg_tde_add_global_key_provider_file('file-provider','/tmp/pg_tde_regression_default_key.per'); @@ -17,7 +18,13 @@ SELECT provider_id, provider_name, key_name | | (1 row) -SELECT pg_tde_set_default_key_using_global_key_provider('default-key', 'file-provider', false); +SELECT pg_tde_create_key_using_global_key_provider('default-key', 'file-provider'); + pg_tde_create_key_using_global_key_provider +--------------------------------------------- + +(1 row) + +SELECT pg_tde_set_default_key_using_global_key_provider('default-key', 'file-provider'); pg_tde_set_default_key_using_global_key_provider -------------------------------------------------- @@ -99,7 +106,13 @@ SELECT provider_id, provider_name, key_name \c :regress_database CHECKPOINT; -SELECT pg_tde_set_default_key_using_global_key_provider('new-default-key', 'file-provider', false); +SELECT pg_tde_create_key_using_global_key_provider('new-default-key', 'file-provider'); + pg_tde_create_key_using_global_key_provider +--------------------------------------------- + +(1 row) + +SELECT pg_tde_set_default_key_using_global_key_provider('new-default-key', 'file-provider'); pg_tde_set_default_key_using_global_key_provider -------------------------------------------------- diff --git a/contrib/pg_tde/expected/delete_principal_key.out b/contrib/pg_tde/expected/delete_principal_key.out index 3c6319e7b3ebf..17dda7d8ba435 100644 --- a/contrib/pg_tde/expected/delete_principal_key.out +++ b/contrib/pg_tde/expected/delete_principal_key.out @@ -1,3 +1,4 @@ +\! rm -f '/tmp/pg_tde_test_keyring.per' CREATE EXTENSION IF NOT EXISTS pg_tde; SELECT pg_tde_add_global_key_provider_file('file-provider','/tmp/pg_tde_test_keyring.per'); pg_tde_add_global_key_provider_file @@ -5,6 +6,18 @@ SELECT pg_tde_add_global_key_provider_file('file-provider','/tmp/pg_tde_test_key (1 row) +SELECT pg_tde_create_key_using_global_key_provider('defalut-key','file-provider'); + pg_tde_create_key_using_global_key_provider +--------------------------------------------- + +(1 row) + +SELECT pg_tde_create_key_using_global_key_provider('test-db-key','file-provider'); + pg_tde_create_key_using_global_key_provider +--------------------------------------------- + +(1 row) + -- Set the local key and delete it without any encrypted tables -- Should succeed: nothing used the key SELECT pg_tde_set_key_using_global_key_provider('test-db-key','file-provider'); diff --git a/contrib/pg_tde/expected/insert_update_delete.out b/contrib/pg_tde/expected/insert_update_delete.out index 9db4133a07321..88cc211d774f4 100644 --- a/contrib/pg_tde/expected/insert_update_delete.out +++ b/contrib/pg_tde/expected/insert_update_delete.out @@ -1,3 +1,4 @@ +\! rm -f '/tmp/pg_tde_test_keyring.per' CREATE EXTENSION IF NOT EXISTS pg_tde; SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per'); pg_tde_add_database_key_provider_file @@ -5,6 +6,12 @@ SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyr (1 row) +SELECT pg_tde_create_key_using_database_key_provider('test-db-key','file-vault'); + pg_tde_create_key_using_database_key_provider +----------------------------------------------- + +(1 row) + SELECT pg_tde_set_key_using_database_key_provider('test-db-key','file-vault'); pg_tde_set_key_using_database_key_provider -------------------------------------------- diff --git a/contrib/pg_tde/expected/key_provider.out b/contrib/pg_tde/expected/key_provider.out index d665b74cb6ed3..3be6375928e62 100644 --- a/contrib/pg_tde/expected/key_provider.out +++ b/contrib/pg_tde/expected/key_provider.out @@ -1,3 +1,7 @@ +\! rm -f '/tmp/db-provider-file' +\! rm -f '/tmp/global-provider-file-1' +\! rm -f '/tmp/pg_tde_test_keyring.per' +\! rm -f '/tmp/pg_tde_test_keyring2.per' CREATE EXTENSION IF NOT EXISTS pg_tde; SELECT * FROM pg_tde_key_info(); key_name | provider_name | provider_id | key_creation_time @@ -28,6 +32,12 @@ SELECT * FROM pg_tde_list_all_database_key_providers(); 2 | file-provider2 | file | {"path" : "/tmp/pg_tde_test_keyring2.per"} (2 rows) +SELECT pg_tde_create_key_using_database_key_provider('test-db-key','file-provider'); + pg_tde_create_key_using_database_key_provider +----------------------------------------------- + +(1 row) + SELECT pg_tde_verify_key(); ERROR: principal key not configured for current database SELECT pg_tde_set_key_using_database_key_provider('test-db-key','file-provider'); @@ -109,7 +119,7 @@ SELECT id, name FROM pg_tde_list_all_global_key_providers(); -5 | file-keyring2 (2 rows) -SELECT pg_tde_set_key_using_global_key_provider('test-db-key', 'file-keyring', false); +SELECT pg_tde_set_key_using_global_key_provider('test-db-key', 'file-keyring'); pg_tde_set_key_using_global_key_provider ------------------------------------------ @@ -228,6 +238,12 @@ SELECT pg_tde_add_global_key_provider_file('global-provider', '/tmp/global-provi (1 row) +SELECT pg_tde_create_key_using_global_key_provider('server-key', 'global-provider'); + pg_tde_create_key_using_global_key_provider +--------------------------------------------- + +(1 row) + SELECT pg_tde_set_server_key_using_global_key_provider('server-key', 'global-provider'); WARNING: The WAL encryption feature is currently in beta and may be unstable. Do not use it in production environments! pg_tde_set_server_key_using_global_key_provider @@ -249,6 +265,12 @@ SELECT current_database() AS regress_database CREATE DATABASE db_using_global_provider; \c db_using_global_provider; CREATE EXTENSION pg_tde; +SELECT pg_tde_create_key_using_global_key_provider('database-key', 'global-provider2'); + pg_tde_create_key_using_global_key_provider +--------------------------------------------- + +(1 row) + SELECT pg_tde_set_key_using_global_key_provider('database-key', 'global-provider2'); pg_tde_set_key_using_global_key_provider ------------------------------------------ @@ -268,6 +290,12 @@ SELECT pg_tde_add_database_key_provider_file('db-provider', '/tmp/db-provider-fi (1 row) +SELECT pg_tde_create_key_using_database_key_provider('database-key', 'db-provider'); + pg_tde_create_key_using_database_key_provider +----------------------------------------------- + +(1 row) + SELECT pg_tde_set_key_using_database_key_provider('database-key', 'db-provider'); pg_tde_set_key_using_database_key_provider -------------------------------------------- @@ -304,23 +332,39 @@ SELECT pg_tde_set_server_key_using_global_key_provider(NULL, 'file-keyring'); WARNING: The WAL encryption feature is currently in beta and may be unstable. Do not use it in production environments! ERROR: key name cannot be null -- Empty string is not allowed for a principal key name -SELECT pg_tde_set_default_key_using_global_key_provider('', 'file-keyring'); +SELECT pg_tde_create_key_using_database_key_provider('', 'file-provider'); ERROR: key name "" is too short -SELECT pg_tde_set_key_using_database_key_provider('', 'file-keyring'); +SELECT pg_tde_create_key_using_global_key_provider('', 'file-keyring'); ERROR: key name "" is too short -SELECT pg_tde_set_key_using_global_key_provider('', 'file-keyring'); -ERROR: key name "" is too short -SELECT pg_tde_set_server_key_using_global_key_provider('', 'file-keyring'); -WARNING: The WAL encryption feature is currently in beta and may be unstable. Do not use it in production environments! -ERROR: key name "" is too short --- Setting principal key fails if the key name is too long -SELECT pg_tde_set_default_key_using_global_key_provider(repeat('K', 256), 'file-keyring'); -ERROR: too long principal key name, maximum length is 255 bytes -SELECT pg_tde_set_key_using_database_key_provider(repeat('K', 256), 'file-provider'); -ERROR: too long principal key name, maximum length is 255 bytes -SELECT pg_tde_set_key_using_global_key_provider(repeat('K', 256), 'file-keyring'); -ERROR: too long principal key name, maximum length is 255 bytes -SELECT pg_tde_set_server_key_using_global_key_provider(repeat('K', 256), 'file-keyring'); +-- Creating principal key fails if the key name is too long +SELECT pg_tde_create_key_using_database_key_provider(repeat('K', 256), 'file-provider'); +ERROR: key name "KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK" is too long +HINT: Maximum length is 255 bytes. +SELECT pg_tde_create_key_using_global_key_provider(repeat('K', 256), 'file-keyring'); +ERROR: key name "KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK" is too long +HINT: Maximum length is 255 bytes. +-- Creating principal key fails if key already exists +SELECT pg_tde_create_key_using_database_key_provider('existing-key','file-provider'); + pg_tde_create_key_using_database_key_provider +----------------------------------------------- + +(1 row) + +SELECT pg_tde_create_key_using_database_key_provider('existing-key','file-provider'); +ERROR: cannot to create key "existing-key" because it already exists +SELECT pg_tde_create_key_using_global_key_provider('existing-key','file-keyring'); +ERROR: cannot to create key "existing-key" because it already exists +-- Setting principal key fails if key does not exist +SELECT pg_tde_set_default_key_using_global_key_provider('not-existing', 'file-keyring'); +ERROR: key "not-existing" does not exist +HINT: Use pg_tde_create_key_using_global_key_provider() to create it. +SELECT pg_tde_set_key_using_database_key_provider('not-existing', 'file-keyring'); +ERROR: key provider "file-keyring" does not exists +SELECT pg_tde_set_key_using_global_key_provider('not-existing', 'file-keyring'); +ERROR: key "not-existing" does not exist +HINT: Use pg_tde_create_key_using_global_key_provider() to create it. +SELECT pg_tde_set_server_key_using_global_key_provider('not-existing', 'file-keyring'); WARNING: The WAL encryption feature is currently in beta and may be unstable. Do not use it in production environments! -ERROR: too long principal key name, maximum length is 255 bytes +ERROR: key "not-existing" does not exist +HINT: Use pg_tde_create_key_using_global_key_provider() to create it. DROP EXTENSION pg_tde; diff --git a/contrib/pg_tde/expected/kmip_test.out b/contrib/pg_tde/expected/kmip_test.out index b363a6db94b2f..630dfe69c3509 100644 --- a/contrib/pg_tde/expected/kmip_test.out +++ b/contrib/pg_tde/expected/kmip_test.out @@ -5,6 +5,12 @@ SELECT pg_tde_add_database_key_provider_kmip('kmip-prov', '127.0.0.1', 5696, '/t (1 row) +SELECT pg_tde_create_key_using_database_key_provider('kmip-key','kmip-prov'); + pg_tde_create_key_using_database_key_provider +----------------------------------------------- + +(1 row) + SELECT pg_tde_set_key_using_database_key_provider('kmip-key','kmip-prov'); pg_tde_set_key_using_database_key_provider -------------------------------------------- diff --git a/contrib/pg_tde/expected/partition_table.out b/contrib/pg_tde/expected/partition_table.out index 704bb98598c72..e58c181d5bca2 100644 --- a/contrib/pg_tde/expected/partition_table.out +++ b/contrib/pg_tde/expected/partition_table.out @@ -1,3 +1,4 @@ +\! rm -f '/tmp/pg_tde_keyring.per' CREATE EXTENSION pg_tde; SELECT pg_tde_add_database_key_provider_file('database_keyring_provider','/tmp/pg_tde_keyring.per'); pg_tde_add_database_key_provider_file @@ -5,6 +6,12 @@ SELECT pg_tde_add_database_key_provider_file('database_keyring_provider','/tmp/p (1 row) +SELECT pg_tde_create_key_using_database_key_provider('table_key','database_keyring_provider'); + pg_tde_create_key_using_database_key_provider +----------------------------------------------- + +(1 row) + SELECT pg_tde_set_key_using_database_key_provider('table_key','database_keyring_provider'); pg_tde_set_key_using_database_key_provider -------------------------------------------- diff --git a/contrib/pg_tde/expected/pg_tde_is_encrypted.out b/contrib/pg_tde/expected/pg_tde_is_encrypted.out index f3916e4734adb..a6e13a57d9e13 100644 --- a/contrib/pg_tde/expected/pg_tde_is_encrypted.out +++ b/contrib/pg_tde/expected/pg_tde_is_encrypted.out @@ -1,3 +1,4 @@ +\! rm -f '/tmp/pg_tde_test_keyring.per' CREATE EXTENSION IF NOT EXISTS pg_tde; SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per'); pg_tde_add_database_key_provider_file @@ -5,6 +6,12 @@ SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyr (1 row) +SELECT pg_tde_create_key_using_database_key_provider('test-db-key','file-vault'); + pg_tde_create_key_using_database_key_provider +----------------------------------------------- + +(1 row) + SELECT pg_tde_set_key_using_database_key_provider('test-db-key','file-vault'); pg_tde_set_key_using_database_key_provider -------------------------------------------- diff --git a/contrib/pg_tde/expected/recreate_storage.out b/contrib/pg_tde/expected/recreate_storage.out index 235e75b70473a..adfca5acb8d38 100644 --- a/contrib/pg_tde/expected/recreate_storage.out +++ b/contrib/pg_tde/expected/recreate_storage.out @@ -1,3 +1,4 @@ +\! rm -f '/tmp/pg_tde_test_keyring.per' CREATE EXTENSION IF NOT EXISTS pg_tde; SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per'); pg_tde_add_database_key_provider_file @@ -5,6 +6,12 @@ SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyr (1 row) +SELECT pg_tde_create_key_using_database_key_provider('test-db-key','file-vault'); + pg_tde_create_key_using_database_key_provider +----------------------------------------------- + +(1 row) + SELECT pg_tde_set_key_using_database_key_provider('test-db-key','file-vault'); pg_tde_set_key_using_database_key_provider -------------------------------------------- diff --git a/contrib/pg_tde/expected/tablespace.out b/contrib/pg_tde/expected/tablespace.out index de34caa969d70..4349c31ac8019 100644 --- a/contrib/pg_tde/expected/tablespace.out +++ b/contrib/pg_tde/expected/tablespace.out @@ -1,3 +1,4 @@ +\! rm -f '/tmp/pg_tde_test_keyring.per' CREATE EXTENSION IF NOT EXISTS pg_tde; SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per'); pg_tde_add_database_key_provider_file @@ -5,6 +6,12 @@ SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyr (1 row) +SELECT pg_tde_create_key_using_database_key_provider('test-db-key','file-vault'); + pg_tde_create_key_using_database_key_provider +----------------------------------------------- + +(1 row) + SELECT pg_tde_set_key_using_database_key_provider('test-db-key','file-vault'); pg_tde_set_key_using_database_key_provider -------------------------------------------- diff --git a/contrib/pg_tde/expected/toast_decrypt.out b/contrib/pg_tde/expected/toast_decrypt.out index e7d2d11370eda..7647a4e6795db 100644 --- a/contrib/pg_tde/expected/toast_decrypt.out +++ b/contrib/pg_tde/expected/toast_decrypt.out @@ -1,3 +1,4 @@ +\! rm -f '/tmp/pg_tde_test_keyring.per' CREATE EXTENSION IF NOT EXISTS pg_tde; SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per'); pg_tde_add_database_key_provider_file @@ -5,6 +6,12 @@ SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyr (1 row) +SELECT pg_tde_create_key_using_database_key_provider('test-db-key','file-vault'); + pg_tde_create_key_using_database_key_provider +----------------------------------------------- + +(1 row) + SELECT pg_tde_set_key_using_database_key_provider('test-db-key','file-vault'); pg_tde_set_key_using_database_key_provider -------------------------------------------- diff --git a/contrib/pg_tde/expected/vault_v2_test.out b/contrib/pg_tde/expected/vault_v2_test.out index 3a092b86dadfe..33d9f9175444f 100644 --- a/contrib/pg_tde/expected/vault_v2_test.out +++ b/contrib/pg_tde/expected/vault_v2_test.out @@ -8,7 +8,7 @@ SELECT pg_tde_add_database_key_provider_vault_v2('vault-incorrect', 'https://127 (1 row) -- FAILS -SELECT pg_tde_set_key_using_database_key_provider('vault-v2-key', 'vault-incorrect'); +SELECT pg_tde_create_key_using_database_key_provider('vault-v2-key', 'vault-incorrect'); ERROR: Invalid HTTP response from keyring provider "vault-incorrect": 404 CREATE TABLE test_enc( id SERIAL, @@ -23,6 +23,12 @@ SELECT pg_tde_add_database_key_provider_vault_v2('vault-v2', 'https://127.0.0.1: (1 row) +SELECT pg_tde_create_key_using_database_key_provider('vault-v2-key', 'vault-v2'); + pg_tde_create_key_using_database_key_provider +----------------------------------------------- + +(1 row) + SELECT pg_tde_set_key_using_database_key_provider('vault-v2-key', 'vault-v2'); pg_tde_set_key_using_database_key_provider -------------------------------------------- diff --git a/contrib/pg_tde/pg_tde--1.0-rc.sql b/contrib/pg_tde/pg_tde--1.0-rc.sql index 242482dbc30c0..5d23b685bb67a 100644 --- a/contrib/pg_tde/pg_tde--1.0-rc.sql +++ b/contrib/pg_tde/pg_tde--1.0-rc.sql @@ -215,29 +215,41 @@ STRICT LANGUAGE C AS 'MODULE_PATHNAME'; -CREATE FUNCTION pg_tde_set_key_using_database_key_provider(key_name TEXT, provider_name TEXT, ensure_new_key BOOLEAN DEFAULT FALSE) +CREATE FUNCTION pg_tde_create_key_using_database_key_provider(key_name TEXT, provider_name TEXT) RETURNS VOID LANGUAGE C AS 'MODULE_PATHNAME'; -REVOKE ALL ON FUNCTION pg_tde_set_key_using_database_key_provider(TEXT, TEXT, BOOLEAN) FROM PUBLIC; +REVOKE ALL ON FUNCTION pg_tde_create_key_using_database_key_provider(TEXT, TEXT) FROM PUBLIC; -CREATE FUNCTION pg_tde_set_key_using_global_key_provider(key_name TEXT, provider_name TEXT, ensure_new_key BOOLEAN DEFAULT FALSE) +CREATE FUNCTION pg_tde_create_key_using_global_key_provider(key_name TEXT, provider_name TEXT) RETURNS VOID LANGUAGE C AS 'MODULE_PATHNAME'; -REVOKE ALL ON FUNCTION pg_tde_set_key_using_global_key_provider(TEXT, TEXT, BOOLEAN) FROM PUBLIC; +REVOKE ALL ON FUNCTION pg_tde_create_key_using_global_key_provider(TEXT, TEXT) FROM PUBLIC; -CREATE FUNCTION pg_tde_set_server_key_using_global_key_provider(key_name TEXT, provider_name TEXT, ensure_new_key BOOLEAN DEFAULT FALSE) +CREATE FUNCTION pg_tde_set_key_using_database_key_provider(key_name TEXT, provider_name TEXT) RETURNS VOID LANGUAGE C AS 'MODULE_PATHNAME'; -REVOKE ALL ON FUNCTION pg_tde_set_server_key_using_global_key_provider(TEXT, TEXT, BOOLEAN) FROM PUBLIC; +REVOKE ALL ON FUNCTION pg_tde_set_key_using_database_key_provider(TEXT, TEXT) FROM PUBLIC; -CREATE FUNCTION pg_tde_set_default_key_using_global_key_provider(key_name TEXT, provider_name TEXT, ensure_new_key BOOLEAN DEFAULT FALSE) +CREATE FUNCTION pg_tde_set_key_using_global_key_provider(key_name TEXT, provider_name TEXT) +RETURNS VOID +LANGUAGE C +AS 'MODULE_PATHNAME'; +REVOKE ALL ON FUNCTION pg_tde_set_key_using_global_key_provider(TEXT, TEXT) FROM PUBLIC; + +CREATE FUNCTION pg_tde_set_server_key_using_global_key_provider(key_name TEXT, provider_name TEXT) +RETURNS VOID +LANGUAGE C +AS 'MODULE_PATHNAME'; +REVOKE ALL ON FUNCTION pg_tde_set_server_key_using_global_key_provider(TEXT, TEXT) FROM PUBLIC; + +CREATE FUNCTION pg_tde_set_default_key_using_global_key_provider(key_name TEXT, provider_name TEXT) RETURNS VOID AS 'MODULE_PATHNAME' LANGUAGE C; -REVOKE ALL ON FUNCTION pg_tde_set_default_key_using_global_key_provider(TEXT, TEXT, BOOLEAN) FROM PUBLIC; +REVOKE ALL ON FUNCTION pg_tde_set_default_key_using_global_key_provider(TEXT, TEXT) FROM PUBLIC; CREATE FUNCTION pg_tde_verify_key() RETURNS VOID diff --git a/contrib/pg_tde/sql/access_control.sql b/contrib/pg_tde/sql/access_control.sql index b8ac7aff0ec79..78de2d3602d7d 100644 --- a/contrib/pg_tde/sql/access_control.sql +++ b/contrib/pg_tde/sql/access_control.sql @@ -1,3 +1,5 @@ +\! rm -f '/tmp/pg_tde_test_keyring.per' + CREATE EXTENSION IF NOT EXISTS pg_tde; SELECT pg_tde_add_database_key_provider_file('local-file-provider', '/tmp/pg_tde_test_keyring.per'); @@ -7,6 +9,7 @@ CREATE USER regress_pg_tde_access_control; SET ROLE regress_pg_tde_access_control; -- should throw access denied +SELECT pg_tde_create_key_using_database_key_provider('test-db-key', 'local-file-provider'); SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'local-file-provider'); SELECT pg_tde_delete_key(); SELECT pg_tde_list_all_database_key_providers(); @@ -25,11 +28,12 @@ GRANT EXECUTE ON FUNCTION pg_tde_add_database_key_provider(TEXT, TEXT, JSON) TO GRANT EXECUTE ON FUNCTION pg_tde_add_global_key_provider(TEXT, TEXT, JSON) TO regress_pg_tde_access_control; GRANT EXECUTE ON FUNCTION pg_tde_change_database_key_provider(TEXT, TEXT, JSON) TO regress_pg_tde_access_control; GRANT EXECUTE ON FUNCTION pg_tde_change_global_key_provider(TEXT, TEXT, JSON) TO regress_pg_tde_access_control; +GRANT EXECUTE ON FUNCTION pg_tde_create_key_using_global_key_provider(TEXT, TEXT) TO regress_pg_tde_access_control; GRANT EXECUTE ON FUNCTION pg_tde_delete_database_key_provider(TEXT) TO regress_pg_tde_access_control; GRANT EXECUTE ON FUNCTION pg_tde_delete_global_key_provider(TEXT) TO regress_pg_tde_access_control; -GRANT EXECUTE ON FUNCTION pg_tde_set_default_key_using_global_key_provider(TEXT, TEXT, BOOLEAN) TO regress_pg_tde_access_control; -GRANT EXECUTE ON FUNCTION pg_tde_set_key_using_global_key_provider(TEXT, TEXT, BOOLEAN) TO regress_pg_tde_access_control; -GRANT EXECUTE ON FUNCTION pg_tde_set_server_key_using_global_key_provider(TEXT, TEXT, BOOLEAN) TO regress_pg_tde_access_control; +GRANT EXECUTE ON FUNCTION pg_tde_set_default_key_using_global_key_provider(TEXT, TEXT) TO regress_pg_tde_access_control; +GRANT EXECUTE ON FUNCTION pg_tde_set_key_using_global_key_provider(TEXT, TEXT) TO regress_pg_tde_access_control; +GRANT EXECUTE ON FUNCTION pg_tde_set_server_key_using_global_key_provider(TEXT, TEXT) TO regress_pg_tde_access_control; GRANT EXECUTE ON FUNCTION pg_tde_delete_default_key() TO regress_pg_tde_access_control; SET ROLE regress_pg_tde_access_control; @@ -40,6 +44,7 @@ SELECT pg_tde_delete_database_key_provider('local-file-provider'); SELECT pg_tde_add_global_key_provider_file('global-file-provider', '/tmp/pg_tde_test_keyring.per'); SELECT pg_tde_change_global_key_provider_file('global-file-provider', '/tmp/pg_tde_test_keyring.per'); SELECT pg_tde_delete_global_key_provider('global-file-provider'); +SELECT pg_tde_create_key_using_global_key_provider('key1', 'global-file-provider'); SELECT pg_tde_set_key_using_global_key_provider('key1', 'global-file-provider'); SELECT pg_tde_set_default_key_using_global_key_provider('key1', 'global-file-provider'); SELECT pg_tde_set_server_key_using_global_key_provider('key1', 'global-file-provider'); diff --git a/contrib/pg_tde/sql/alter_index.sql b/contrib/pg_tde/sql/alter_index.sql index 794161bbd0eae..23283386f465d 100644 --- a/contrib/pg_tde/sql/alter_index.sql +++ b/contrib/pg_tde/sql/alter_index.sql @@ -1,6 +1,9 @@ +\! rm -f '/tmp/pg_tde_test_keyring.per' + CREATE EXTENSION IF NOT EXISTS pg_tde; SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per'); +SELECT pg_tde_create_key_using_database_key_provider('test-db-key','file-vault'); SELECT pg_tde_set_key_using_database_key_provider('test-db-key','file-vault'); SET default_table_access_method = "tde_heap"; diff --git a/contrib/pg_tde/sql/cache_alloc.sql b/contrib/pg_tde/sql/cache_alloc.sql index 745fdacfc18d8..5098c26138681 100644 --- a/contrib/pg_tde/sql/cache_alloc.sql +++ b/contrib/pg_tde/sql/cache_alloc.sql @@ -1,8 +1,11 @@ +\! rm -f '/tmp/pg_tde_test_keyring.per' + -- Just checking there are no mem debug WARNINGs during the cache population CREATE EXTENSION IF NOT EXISTS pg_tde; SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per'); +SELECT pg_tde_create_key_using_database_key_provider('test-db-key','file-vault'); SELECT pg_tde_set_key_using_database_key_provider('test-db-key','file-vault'); do $$ diff --git a/contrib/pg_tde/sql/change_access_method.sql b/contrib/pg_tde/sql/change_access_method.sql index cc3f2eb153f5d..cd4ff512c7e9d 100644 --- a/contrib/pg_tde/sql/change_access_method.sql +++ b/contrib/pg_tde/sql/change_access_method.sql @@ -1,6 +1,9 @@ +\! rm -f '/tmp/pg_tde_test_keyring.per' + CREATE EXTENSION IF NOT EXISTS pg_tde; SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per'); +SELECT pg_tde_create_key_using_database_key_provider('test-db-key', 'file-vault'); SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault'); CREATE TABLE country_table ( diff --git a/contrib/pg_tde/sql/create_database.sql b/contrib/pg_tde/sql/create_database.sql index 77c7aaf84a83a..604293dd24a5a 100644 --- a/contrib/pg_tde/sql/create_database.sql +++ b/contrib/pg_tde/sql/create_database.sql @@ -1,3 +1,6 @@ +\! rm -f '/tmp/template_provider_global.per' +\! rm -f '/tmp/template_provider.per' + CREATE EXTENSION IF NOT EXISTS pg_tde; CREATE DATABASE template_db; @@ -10,6 +13,7 @@ SELECT current_database() AS regress_database CREATE EXTENSION pg_tde; SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/template_provider.per'); +SELECT pg_tde_create_key_using_database_key_provider('test-db-key', 'file-vault'); SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault'); CREATE TABLE test_enc (id serial PRIMARY KEY, x int) USING tde_heap; @@ -24,7 +28,7 @@ INSERT INTO test_plain (x) VALUES (30), (40); --CREATE DATABASE new_db TEMPLATE template_db; SELECT pg_tde_add_global_key_provider_file('global-file-vault','/tmp/template_provider_global.per'); - +SELECT pg_tde_create_key_using_global_key_provider('default-key', 'global-file-vault'); SELECT pg_tde_set_default_key_using_global_key_provider('default-key', 'global-file-vault'); CREATE DATABASE new_db TEMPLATE template_db; diff --git a/contrib/pg_tde/sql/default_principal_key.sql b/contrib/pg_tde/sql/default_principal_key.sql index 3a39fa87fc0c2..20acfd3eb3e99 100644 --- a/contrib/pg_tde/sql/default_principal_key.sql +++ b/contrib/pg_tde/sql/default_principal_key.sql @@ -1,3 +1,5 @@ +\! rm -f '/tmp/pg_tde_regression_default_key.per' + CREATE EXTENSION IF NOT EXISTS pg_tde; CREATE EXTENSION IF NOT EXISTS pg_buffercache; @@ -10,7 +12,8 @@ SELECT pg_tde_verify_default_key(); SELECT provider_id, provider_name, key_name FROM pg_tde_default_key_info(); -SELECT pg_tde_set_default_key_using_global_key_provider('default-key', 'file-provider', false); +SELECT pg_tde_create_key_using_global_key_provider('default-key', 'file-provider'); +SELECT pg_tde_set_default_key_using_global_key_provider('default-key', 'file-provider'); SELECT pg_tde_verify_default_key(); SELECT provider_id, provider_name, key_name @@ -68,7 +71,8 @@ SELECT provider_id, provider_name, key_name CHECKPOINT; -SELECT pg_tde_set_default_key_using_global_key_provider('new-default-key', 'file-provider', false); +SELECT pg_tde_create_key_using_global_key_provider('new-default-key', 'file-provider'); +SELECT pg_tde_set_default_key_using_global_key_provider('new-default-key', 'file-provider'); SELECT provider_id, provider_name, key_name FROM pg_tde_key_info(); diff --git a/contrib/pg_tde/sql/delete_principal_key.sql b/contrib/pg_tde/sql/delete_principal_key.sql index f058a7f506064..262d456933555 100644 --- a/contrib/pg_tde/sql/delete_principal_key.sql +++ b/contrib/pg_tde/sql/delete_principal_key.sql @@ -1,6 +1,10 @@ +\! rm -f '/tmp/pg_tde_test_keyring.per' + CREATE EXTENSION IF NOT EXISTS pg_tde; SELECT pg_tde_add_global_key_provider_file('file-provider','/tmp/pg_tde_test_keyring.per'); +SELECT pg_tde_create_key_using_global_key_provider('defalut-key','file-provider'); +SELECT pg_tde_create_key_using_global_key_provider('test-db-key','file-provider'); -- Set the local key and delete it without any encrypted tables -- Should succeed: nothing used the key diff --git a/contrib/pg_tde/sql/insert_update_delete.sql b/contrib/pg_tde/sql/insert_update_delete.sql index 9efd91a809dc0..3ec1a8014d4e4 100644 --- a/contrib/pg_tde/sql/insert_update_delete.sql +++ b/contrib/pg_tde/sql/insert_update_delete.sql @@ -1,6 +1,9 @@ +\! rm -f '/tmp/pg_tde_test_keyring.per' + CREATE EXTENSION IF NOT EXISTS pg_tde; SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per'); +SELECT pg_tde_create_key_using_database_key_provider('test-db-key','file-vault'); SELECT pg_tde_set_key_using_database_key_provider('test-db-key','file-vault'); CREATE TABLE albums ( diff --git a/contrib/pg_tde/sql/key_provider.sql b/contrib/pg_tde/sql/key_provider.sql index 9cfb21ee2f5e6..ad4467e787dd3 100644 --- a/contrib/pg_tde/sql/key_provider.sql +++ b/contrib/pg_tde/sql/key_provider.sql @@ -1,3 +1,8 @@ +\! rm -f '/tmp/db-provider-file' +\! rm -f '/tmp/global-provider-file-1' +\! rm -f '/tmp/pg_tde_test_keyring.per' +\! rm -f '/tmp/pg_tde_test_keyring2.per' + CREATE EXTENSION IF NOT EXISTS pg_tde; SELECT * FROM pg_tde_key_info(); @@ -8,6 +13,8 @@ SELECT pg_tde_add_database_key_provider_file('file-provider2','/tmp/pg_tde_test_ SELECT pg_tde_add_database_key_provider_file('file-provider','/tmp/pg_tde_test_keyring_dup.per'); SELECT * FROM pg_tde_list_all_database_key_providers(); +SELECT pg_tde_create_key_using_database_key_provider('test-db-key','file-provider'); + SELECT pg_tde_verify_key(); SELECT pg_tde_set_key_using_database_key_provider('test-db-key','file-provider'); SELECT pg_tde_verify_key(); @@ -34,7 +41,7 @@ SELECT id, name FROM pg_tde_list_all_database_key_providers(); SELECT id, name FROM pg_tde_list_all_global_key_providers(); -SELECT pg_tde_set_key_using_global_key_provider('test-db-key', 'file-keyring', false); +SELECT pg_tde_set_key_using_global_key_provider('test-db-key', 'file-keyring'); -- fails SELECT pg_tde_delete_global_key_provider('file-keyring'); @@ -103,6 +110,7 @@ SELECT pg_tde_change_database_key_provider('file', 'file-provider', '{"path": tr -- Modifying key providers fails if new settings can't fetch existing server key SELECT pg_tde_add_global_key_provider_file('global-provider', '/tmp/global-provider-file-1'); +SELECT pg_tde_create_key_using_global_key_provider('server-key', 'global-provider'); SELECT pg_tde_set_server_key_using_global_key_provider('server-key', 'global-provider'); SELECT pg_tde_change_global_key_provider_file('global-provider','/tmp/global-provider-file-2'); @@ -113,6 +121,7 @@ SELECT current_database() AS regress_database CREATE DATABASE db_using_global_provider; \c db_using_global_provider; CREATE EXTENSION pg_tde; +SELECT pg_tde_create_key_using_global_key_provider('database-key', 'global-provider2'); SELECT pg_tde_set_key_using_global_key_provider('database-key', 'global-provider2'); \c :regress_database SELECT pg_tde_change_global_key_provider_file('global-provider2', '/tmp/global-provider-file-2'); @@ -121,6 +130,7 @@ CREATE DATABASE db_using_database_provider; \c db_using_database_provider; CREATE EXTENSION pg_tde; SELECT pg_tde_add_database_key_provider_file('db-provider', '/tmp/db-provider-file'); +SELECT pg_tde_create_key_using_database_key_provider('database-key', 'db-provider'); SELECT pg_tde_set_key_using_database_key_provider('database-key', 'db-provider'); SELECT pg_tde_change_database_key_provider_file('db-provider', '/tmp/db-provider-file-2'); \c :regress_database @@ -143,16 +153,22 @@ SELECT pg_tde_set_key_using_global_key_provider(NULL, 'file-keyring'); SELECT pg_tde_set_server_key_using_global_key_provider(NULL, 'file-keyring'); -- Empty string is not allowed for a principal key name -SELECT pg_tde_set_default_key_using_global_key_provider('', 'file-keyring'); -SELECT pg_tde_set_key_using_database_key_provider('', 'file-keyring'); -SELECT pg_tde_set_key_using_global_key_provider('', 'file-keyring'); -SELECT pg_tde_set_server_key_using_global_key_provider('', 'file-keyring'); - --- Setting principal key fails if the key name is too long -SELECT pg_tde_set_default_key_using_global_key_provider(repeat('K', 256), 'file-keyring'); -SELECT pg_tde_set_key_using_database_key_provider(repeat('K', 256), 'file-provider'); -SELECT pg_tde_set_key_using_global_key_provider(repeat('K', 256), 'file-keyring'); -SELECT pg_tde_set_server_key_using_global_key_provider(repeat('K', 256), 'file-keyring'); - +SELECT pg_tde_create_key_using_database_key_provider('', 'file-provider'); +SELECT pg_tde_create_key_using_global_key_provider('', 'file-keyring'); + +-- Creating principal key fails if the key name is too long +SELECT pg_tde_create_key_using_database_key_provider(repeat('K', 256), 'file-provider'); +SELECT pg_tde_create_key_using_global_key_provider(repeat('K', 256), 'file-keyring'); + +-- Creating principal key fails if key already exists +SELECT pg_tde_create_key_using_database_key_provider('existing-key','file-provider'); +SELECT pg_tde_create_key_using_database_key_provider('existing-key','file-provider'); +SELECT pg_tde_create_key_using_global_key_provider('existing-key','file-keyring'); + +-- Setting principal key fails if key does not exist +SELECT pg_tde_set_default_key_using_global_key_provider('not-existing', 'file-keyring'); +SELECT pg_tde_set_key_using_database_key_provider('not-existing', 'file-keyring'); +SELECT pg_tde_set_key_using_global_key_provider('not-existing', 'file-keyring'); +SELECT pg_tde_set_server_key_using_global_key_provider('not-existing', 'file-keyring'); DROP EXTENSION pg_tde; diff --git a/contrib/pg_tde/sql/kmip_test.sql b/contrib/pg_tde/sql/kmip_test.sql index eedc14c6e7f5e..0e148566f52bd 100644 --- a/contrib/pg_tde/sql/kmip_test.sql +++ b/contrib/pg_tde/sql/kmip_test.sql @@ -1,6 +1,7 @@ CREATE EXTENSION pg_tde; SELECT pg_tde_add_database_key_provider_kmip('kmip-prov', '127.0.0.1', 5696, '/tmp/client_certificate_jane_doe.pem', '/tmp/client_key_jane_doe.pem', '/tmp/server_certificate.pem'); +SELECT pg_tde_create_key_using_database_key_provider('kmip-key','kmip-prov'); SELECT pg_tde_set_key_using_database_key_provider('kmip-key','kmip-prov'); CREATE TABLE test_enc( diff --git a/contrib/pg_tde/sql/partition_table.sql b/contrib/pg_tde/sql/partition_table.sql index b77b1f4c35436..0885e55930c10 100644 --- a/contrib/pg_tde/sql/partition_table.sql +++ b/contrib/pg_tde/sql/partition_table.sql @@ -1,5 +1,8 @@ +\! rm -f '/tmp/pg_tde_keyring.per' + CREATE EXTENSION pg_tde; SELECT pg_tde_add_database_key_provider_file('database_keyring_provider','/tmp/pg_tde_keyring.per'); +SELECT pg_tde_create_key_using_database_key_provider('table_key','database_keyring_provider'); SELECT pg_tde_set_key_using_database_key_provider('table_key','database_keyring_provider'); CREATE TABLE IF NOT EXISTS partitioned_table ( id SERIAL, diff --git a/contrib/pg_tde/sql/pg_tde_is_encrypted.sql b/contrib/pg_tde/sql/pg_tde_is_encrypted.sql index 19e57b1689b93..5fb492c152146 100644 --- a/contrib/pg_tde/sql/pg_tde_is_encrypted.sql +++ b/contrib/pg_tde/sql/pg_tde_is_encrypted.sql @@ -1,6 +1,9 @@ +\! rm -f '/tmp/pg_tde_test_keyring.per' + CREATE EXTENSION IF NOT EXISTS pg_tde; SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per'); +SELECT pg_tde_create_key_using_database_key_provider('test-db-key','file-vault'); SELECT pg_tde_set_key_using_database_key_provider('test-db-key','file-vault'); CREATE TABLE test_enc ( diff --git a/contrib/pg_tde/sql/recreate_storage.sql b/contrib/pg_tde/sql/recreate_storage.sql index 7a19ad35444ea..60804f6e379db 100644 --- a/contrib/pg_tde/sql/recreate_storage.sql +++ b/contrib/pg_tde/sql/recreate_storage.sql @@ -1,6 +1,9 @@ +\! rm -f '/tmp/pg_tde_test_keyring.per' + CREATE EXTENSION IF NOT EXISTS pg_tde; SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per'); +SELECT pg_tde_create_key_using_database_key_provider('test-db-key','file-vault'); SELECT pg_tde_set_key_using_database_key_provider('test-db-key','file-vault'); SET default_table_access_method = "tde_heap"; diff --git a/contrib/pg_tde/sql/tablespace.sql b/contrib/pg_tde/sql/tablespace.sql index 7e2abce87ca13..413a1159ba2de 100644 --- a/contrib/pg_tde/sql/tablespace.sql +++ b/contrib/pg_tde/sql/tablespace.sql @@ -1,6 +1,9 @@ +\! rm -f '/tmp/pg_tde_test_keyring.per' + CREATE EXTENSION IF NOT EXISTS pg_tde; SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per'); +SELECT pg_tde_create_key_using_database_key_provider('test-db-key','file-vault'); SELECT pg_tde_set_key_using_database_key_provider('test-db-key','file-vault'); CREATE TABLE test(num1 bigint, num2 double precision, t text) USING tde_heap; diff --git a/contrib/pg_tde/sql/toast_decrypt.sql b/contrib/pg_tde/sql/toast_decrypt.sql index 4cd6cf513f618..34d8341c4ebd8 100644 --- a/contrib/pg_tde/sql/toast_decrypt.sql +++ b/contrib/pg_tde/sql/toast_decrypt.sql @@ -1,6 +1,9 @@ +\! rm -f '/tmp/pg_tde_test_keyring.per' + CREATE EXTENSION IF NOT EXISTS pg_tde; SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per'); +SELECT pg_tde_create_key_using_database_key_provider('test-db-key','file-vault'); SELECT pg_tde_set_key_using_database_key_provider('test-db-key','file-vault'); CREATE TABLE src (f1 TEXT STORAGE EXTERNAL) USING tde_heap; diff --git a/contrib/pg_tde/sql/vault_v2_test.sql b/contrib/pg_tde/sql/vault_v2_test.sql index e43dc3798d7fe..8b95e1cf27dce 100644 --- a/contrib/pg_tde/sql/vault_v2_test.sql +++ b/contrib/pg_tde/sql/vault_v2_test.sql @@ -5,7 +5,7 @@ CREATE EXTENSION IF NOT EXISTS pg_tde; SELECT pg_tde_add_database_key_provider_vault_v2('vault-incorrect', 'https://127.0.0.1:8200', 'DUMMY-TOKEN', :'root_token_file', :'cacert_file'); -- FAILS -SELECT pg_tde_set_key_using_database_key_provider('vault-v2-key', 'vault-incorrect'); +SELECT pg_tde_create_key_using_database_key_provider('vault-v2-key', 'vault-incorrect'); CREATE TABLE test_enc( id SERIAL, @@ -14,6 +14,7 @@ CREATE TABLE test_enc( ) USING tde_heap; SELECT pg_tde_add_database_key_provider_vault_v2('vault-v2', 'https://127.0.0.1:8200', 'secret', :'root_token_file', :'cacert_file'); +SELECT pg_tde_create_key_using_database_key_provider('vault-v2-key', 'vault-v2'); SELECT pg_tde_set_key_using_database_key_provider('vault-v2-key', 'vault-v2'); CREATE TABLE test_enc( diff --git a/contrib/pg_tde/src/catalog/tde_principal_key.c b/contrib/pg_tde/src/catalog/tde_principal_key.c index 26f4aad39cf1d..3944d123825db 100644 --- a/contrib/pg_tde/src/catalog/tde_principal_key.c +++ b/contrib/pg_tde/src/catalog/tde_principal_key.c @@ -85,14 +85,14 @@ static void push_principal_key_to_cache(TDEPrincipalKey *principalKey); static Datum pg_tde_get_key_info(PG_FUNCTION_ARGS, Oid dbOid); static TDEPrincipalKey *get_principal_key_from_keyring(Oid dbOid); static TDEPrincipalKey *GetPrincipalKeyNoDefault(Oid dbOid, LWLockMode lockMode); -static void set_principal_key_with_keyring(const char *key_name, - const char *provider_name, - Oid providerOid, - Oid dbOid, - bool ensure_new_key); static bool pg_tde_verify_principal_key_internal(Oid databaseOid); +static void pg_tde_create_principal_key_internal(Oid providerOid, const char *key_name, const char *provider_name); static void pg_tde_rotate_default_key_for_database(TDEPrincipalKey *oldKey, TDEPrincipalKey *newKeyTemplate); +static void pg_tde_set_principal_key_internal(Oid providerOid, Oid dbOid, const char *principal_key_name, const char *provider_name); +static void set_principal_key_with_keyring(const char *key_name, const char *provider_name, Oid providerOid, Oid dbOid); +PG_FUNCTION_INFO_V1(pg_tde_create_key_using_database_key_provider); +PG_FUNCTION_INFO_V1(pg_tde_create_key_using_global_key_provider); PG_FUNCTION_INFO_V1(pg_tde_set_default_key_using_global_key_provider); PG_FUNCTION_INFO_V1(pg_tde_set_key_using_database_key_provider); PG_FUNCTION_INFO_V1(pg_tde_set_key_using_global_key_provider); @@ -100,8 +100,6 @@ PG_FUNCTION_INFO_V1(pg_tde_set_server_key_using_global_key_provider); PG_FUNCTION_INFO_V1(pg_tde_delete_key); PG_FUNCTION_INFO_V1(pg_tde_delete_default_key); -static void pg_tde_set_principal_key_internal(Oid providerOid, Oid dbOid, const char *principal_key_name, const char *provider_name, bool ensure_new_key); - /* * Request some pages so we can fit the DSA header, empty hash table plus some * extra. Additional memory to grow the hash map will be allocated as needed @@ -217,8 +215,10 @@ principal_key_info_attach_shmem(void) } void -set_principal_key_with_keyring(const char *key_name, const char *provider_name, - Oid providerOid, Oid dbOid, bool ensure_new_key) +set_principal_key_with_keyring(const char *key_name, + const char *provider_name, + Oid providerOid, + Oid dbOid) { TDEPrincipalKey *curr_principal_key; TDEPrincipalKey *new_principal_key; @@ -227,12 +227,6 @@ set_principal_key_with_keyring(const char *key_name, const char *provider_name, GenericKeyring *new_keyring; const KeyInfo *keyInfo = NULL; - if (AllowInheritGlobalProviders == false && providerOid != dbOid) - { - ereport(ERROR, - errmsg("Usage of global key providers is disabled. Enable it with pg_tde.inherit_global_providers = ON")); - } - /* * Try to get principal key from cache. */ @@ -251,25 +245,24 @@ set_principal_key_with_keyring(const char *key_name, const char *provider_name, if (kr_ret != KEYRING_CODE_SUCCESS) { ereport(ERROR, - errmsg("failed to retrieve principal key from keyring provider :\"%s\"", new_keyring->provider_name), - errdetail("Error code: %d", kr_ret)); + errmsg("could not successfully query key provider \"%s\"", new_keyring->provider_name)); } } - if (keyInfo != NULL && ensure_new_key) + if (!keyInfo) { - ereport(ERROR, - errmsg("failed to create principal key: already exists")); + if (providerOid == GLOBAL_DATA_TDE_OID) + ereport(ERROR, + errcode(ERRCODE_INVALID_PARAMETER_VALUE), + errmsg("key \"%s\" does not exist", key_name), + errhint("Use pg_tde_create_key_using_global_key_provider() to create it.")); + else + ereport(ERROR, + errcode(ERRCODE_INVALID_PARAMETER_VALUE), + errmsg("key \"%s\" does not exist", key_name), + errhint("Use pg_tde_create_key_using_database_key_provider() to create it.")); } - if (strlen(key_name) >= sizeof(keyInfo->name)) - ereport(ERROR, - errcode(ERRCODE_INVALID_PARAMETER_VALUE), - errmsg("too long principal key name, maximum length is %ld bytes", sizeof(keyInfo->name) - 1)); - - if (keyInfo == NULL) - keyInfo = KeyringGenerateNewKeyAndStore(new_keyring, key_name, PRINCIPAL_KEY_LEN); - new_principal_key = palloc_object(TDEPrincipalKey); new_principal_key->keyInfo.databaseId = dbOid; new_principal_key->keyInfo.keyringId = new_keyring->keyring_id; @@ -452,15 +445,99 @@ clear_principal_key_cache(Oid databaseId) * SQL interface to set principal key */ +Datum +pg_tde_create_key_using_database_key_provider(PG_FUNCTION_ARGS) +{ + char *key_name = PG_ARGISNULL(0) ? NULL : text_to_cstring(PG_GETARG_TEXT_PP(0)); + char *provider_name = PG_ARGISNULL(1) ? NULL : text_to_cstring(PG_GETARG_TEXT_PP(1)); + + pg_tde_create_principal_key_internal(MyDatabaseId, + key_name, + provider_name); + + PG_RETURN_VOID(); +} + +Datum +pg_tde_create_key_using_global_key_provider(PG_FUNCTION_ARGS) +{ + char *key_name = PG_ARGISNULL(0) ? NULL : text_to_cstring(PG_GETARG_TEXT_PP(0)); + char *provider_name = PG_ARGISNULL(1) ? NULL : text_to_cstring(PG_GETARG_TEXT_PP(1)); + + pg_tde_create_principal_key_internal(GLOBAL_DATA_TDE_OID, + key_name, + provider_name); + + PG_RETURN_VOID(); +} + +static void +pg_tde_create_principal_key_internal(Oid providerOid, + const char *key_name, + const char *provider_name) +{ + + GenericKeyring *provider; + KeyInfo *key_info; + KeyringReturnCodes return_code; + + if (providerOid == GLOBAL_DATA_TDE_OID && !superuser()) + ereport(ERROR, + errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("must be superuser to access global key providers")); + if (providerOid == GLOBAL_DATA_TDE_OID && !AllowInheritGlobalProviders) + ereport(ERROR, + errmsg("usage of global key providers is disabled"), + errhint("Set \"pg_tde.inherit_global_providers = on\" in postgresql.conf.")); + + if (key_name == NULL) + ereport(ERROR, + errcode(ERRCODE_NULL_VALUE_NOT_ALLOWED), + errmsg("key name cannot be null")); + if (strlen(key_name) == 0) + ereport(ERROR, + errcode(ERRCODE_INVALID_PARAMETER_VALUE), + errmsg("key name \"\" is too short")); + if (strlen(key_name) >= PRINCIPAL_KEY_NAME_LEN) + ereport(ERROR, + errcode(ERRCODE_INVALID_PARAMETER_VALUE), + errmsg("key name \"%s\" is too long", key_name), + errhint("Maximum length is %d bytes.", PRINCIPAL_KEY_NAME_LEN - 1)); + if (provider_name == NULL) + ereport(ERROR, + errcode(ERRCODE_NULL_VALUE_NOT_ALLOWED), + errmsg("key provider name cannot be null")); + + provider = GetKeyProviderByName(provider_name, providerOid); + + key_info = KeyringGetKey(provider, key_name, &return_code); + + if (return_code != KEYRING_CODE_SUCCESS) + ereport(ERROR, + errmsg("could not successfully query key provider \"%s\"", provider->provider_name)); + + if (key_info != NULL) + ereport(ERROR, + errcode(ERRCODE_INVALID_PARAMETER_VALUE), + errmsg("cannot to create key \"%s\" because it already exists", key_name)); + + key_info = KeyringGenerateNewKeyAndStore(provider, key_name, PRINCIPAL_KEY_LEN); + + pfree(key_info); + pfree(provider); +} + Datum pg_tde_set_default_key_using_global_key_provider(PG_FUNCTION_ARGS) { char *principal_key_name = PG_ARGISNULL(0) ? NULL : text_to_cstring(PG_GETARG_TEXT_PP(0)); char *provider_name = PG_ARGISNULL(1) ? NULL : text_to_cstring(PG_GETARG_TEXT_PP(1)); - bool ensure_new_key = PG_GETARG_BOOL(2); /* Using a global provider for the default encryption setting */ - pg_tde_set_principal_key_internal(GLOBAL_DATA_TDE_OID, DEFAULT_DATA_TDE_OID, principal_key_name, provider_name, ensure_new_key); + pg_tde_set_principal_key_internal(GLOBAL_DATA_TDE_OID, + DEFAULT_DATA_TDE_OID, + principal_key_name, + provider_name); PG_RETURN_VOID(); } @@ -470,10 +547,12 @@ pg_tde_set_key_using_database_key_provider(PG_FUNCTION_ARGS) { char *principal_key_name = PG_ARGISNULL(0) ? NULL : text_to_cstring(PG_GETARG_TEXT_PP(0)); char *provider_name = PG_ARGISNULL(1) ? NULL : text_to_cstring(PG_GETARG_TEXT_PP(1)); - bool ensure_new_key = PG_GETARG_BOOL(2); /* Using a local provider for the current database */ - pg_tde_set_principal_key_internal(MyDatabaseId, MyDatabaseId, principal_key_name, provider_name, ensure_new_key); + pg_tde_set_principal_key_internal(MyDatabaseId, + MyDatabaseId, + principal_key_name, + provider_name); PG_RETURN_VOID(); } @@ -483,10 +562,12 @@ pg_tde_set_key_using_global_key_provider(PG_FUNCTION_ARGS) { char *principal_key_name = PG_ARGISNULL(0) ? NULL : text_to_cstring(PG_GETARG_TEXT_PP(0)); char *provider_name = PG_ARGISNULL(1) ? NULL : text_to_cstring(PG_GETARG_TEXT_PP(1)); - bool ensure_new_key = PG_GETARG_BOOL(2); /* Using a global provider for the current database */ - pg_tde_set_principal_key_internal(GLOBAL_DATA_TDE_OID, MyDatabaseId, principal_key_name, provider_name, ensure_new_key); + pg_tde_set_principal_key_internal(GLOBAL_DATA_TDE_OID, + MyDatabaseId, + principal_key_name, + provider_name); PG_RETURN_VOID(); } @@ -496,19 +577,24 @@ pg_tde_set_server_key_using_global_key_provider(PG_FUNCTION_ARGS) { char *principal_key_name = PG_ARGISNULL(0) ? NULL : text_to_cstring(PG_GETARG_TEXT_PP(0)); char *provider_name = PG_ARGISNULL(1) ? NULL : text_to_cstring(PG_GETARG_TEXT_PP(1)); - bool ensure_new_key = PG_GETARG_BOOL(2); ereport(WARNING, errmsg("The WAL encryption feature is currently in beta and may be unstable. Do not use it in production environments!")); /* Using a global provider for the global (wal) database */ - pg_tde_set_principal_key_internal(GLOBAL_DATA_TDE_OID, GLOBAL_DATA_TDE_OID, principal_key_name, provider_name, ensure_new_key); + pg_tde_set_principal_key_internal(GLOBAL_DATA_TDE_OID, + GLOBAL_DATA_TDE_OID, + principal_key_name, + provider_name); PG_RETURN_VOID(); } static void -pg_tde_set_principal_key_internal(Oid providerOid, Oid dbOid, const char *key_name, const char *provider_name, bool ensure_new_key) +pg_tde_set_principal_key_internal(Oid providerOid, + Oid dbOid, + const char *key_name, + const char *provider_name) { TDEPrincipalKey *existingDefaultKey = NULL; TDEPrincipalKey existingKeyCopy; @@ -517,6 +603,10 @@ pg_tde_set_principal_key_internal(Oid providerOid, Oid dbOid, const char *key_na ereport(ERROR, errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), errmsg("must be superuser to access global key providers")); + if (providerOid == GLOBAL_DATA_TDE_OID && !AllowInheritGlobalProviders) + ereport(ERROR, + errmsg("usage of global key providers is disabled"), + errhint("Set \"pg_tde.inherit_global_providers = on\" in postgresql.conf.")); if (key_name == NULL) ereport(ERROR, @@ -526,6 +616,11 @@ pg_tde_set_principal_key_internal(Oid providerOid, Oid dbOid, const char *key_na ereport(ERROR, errcode(ERRCODE_INVALID_PARAMETER_VALUE), errmsg("key name \"\" is too short")); + if (strlen(key_name) >= PRINCIPAL_KEY_NAME_LEN) + ereport(ERROR, + errcode(ERRCODE_INVALID_PARAMETER_VALUE), + errmsg("key name \"%s\" is too long", key_name), + errhint("Maximum length is %d bytes.", PRINCIPAL_KEY_NAME_LEN - 1)); if (provider_name == NULL) ereport(ERROR, errcode(ERRCODE_NULL_VALUE_NOT_ALLOWED), @@ -548,8 +643,7 @@ pg_tde_set_principal_key_internal(Oid providerOid, Oid dbOid, const char *key_na set_principal_key_with_keyring(key_name, provider_name, providerOid, - dbOid, - ensure_new_key); + dbOid); if (dbOid == DEFAULT_DATA_TDE_OID && existingDefaultKey != NULL) { diff --git a/contrib/pg_tde/t/basic.pl b/contrib/pg_tde/t/basic.pl index 8eea2d39d3d6c..7d43a3bfcadac 100644 --- a/contrib/pg_tde/t/basic.pl +++ b/contrib/pg_tde/t/basic.pl @@ -46,6 +46,10 @@ "SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_001_basic.per');" ); +PGTDE::psql($node, 'postgres', + "SELECT pg_tde_create_key_using_database_key_provider('test-db-key', 'file-vault');" +); + PGTDE::psql($node, 'postgres', "SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault');" ); diff --git a/contrib/pg_tde/t/change_key_provider.pl b/contrib/pg_tde/t/change_key_provider.pl index 4dbc262cf2d95..78ee711596290 100644 --- a/contrib/pg_tde/t/change_key_provider.pl +++ b/contrib/pg_tde/t/change_key_provider.pl @@ -25,6 +25,9 @@ ); PGTDE::psql($node, 'postgres', "SELECT * FROM pg_tde_list_all_database_key_providers();"); +PGTDE::psql($node, 'postgres', + "SELECT pg_tde_create_key_using_database_key_provider('test-key', 'file-vault');" +); PGTDE::psql($node, 'postgres', "SELECT pg_tde_set_key_using_database_key_provider('test-key', 'file-vault');" ); diff --git a/contrib/pg_tde/t/crash_recovery.pl b/contrib/pg_tde/t/crash_recovery.pl index b4f75010ac3bd..0c4a85c654683 100644 --- a/contrib/pg_tde/t/crash_recovery.pl +++ b/contrib/pg_tde/t/crash_recovery.pl @@ -24,12 +24,18 @@ PGTDE::psql($node, 'postgres', "SELECT pg_tde_add_global_key_provider_file('global_keyring', '/tmp/crash_recovery.per');" ); +PGTDE::psql($node, 'postgres', + "SELECT pg_tde_create_key_using_global_key_provider('wal_encryption_key', 'global_keyring');" +); PGTDE::psql($node, 'postgres', "SELECT pg_tde_set_server_key_using_global_key_provider('wal_encryption_key', 'global_keyring');" ); PGTDE::psql($node, 'postgres', "SELECT pg_tde_add_database_key_provider_file('db_keyring', '/tmp/crash_recovery.per');" ); +PGTDE::psql($node, 'postgres', + "SELECT pg_tde_create_key_using_database_key_provider('db_key', 'db_keyring');" +); PGTDE::psql($node, 'postgres', "SELECT pg_tde_set_key_using_database_key_provider('db_key', 'db_keyring');" ); @@ -51,9 +57,15 @@ $node->start; PGTDE::append_to_result_file("-- rotate wal key"); +PGTDE::psql($node, 'postgres', + "SELECT pg_tde_create_key_using_global_key_provider('wal_encryption_key_1', 'global_keyring');" +); PGTDE::psql($node, 'postgres', "SELECT pg_tde_set_server_key_using_global_key_provider('wal_encryption_key_1', 'global_keyring');" ); +PGTDE::psql($node, 'postgres', + "SELECT pg_tde_create_key_using_database_key_provider('db_key_1', 'db_keyring');" +); PGTDE::psql($node, 'postgres', "SELECT pg_tde_set_key_using_database_key_provider('db_key_1', 'db_keyring');" ); @@ -67,9 +79,15 @@ $node->start; PGTDE::append_to_result_file("-- rotate wal key"); +PGTDE::psql($node, 'postgres', + "SELECT pg_tde_create_key_using_global_key_provider('wal_encryption_key_2', 'global_keyring');" +); PGTDE::psql($node, 'postgres', "SELECT pg_tde_set_server_key_using_global_key_provider('wal_encryption_key_2', 'global_keyring');" ); +PGTDE::psql($node, 'postgres', + "SELECT pg_tde_create_key_using_database_key_provider('db_key_2', 'db_keyring');" +); PGTDE::psql($node, 'postgres', "SELECT pg_tde_set_key_using_database_key_provider('db_key_2', 'db_keyring');" ); diff --git a/contrib/pg_tde/t/expected/basic.out b/contrib/pg_tde/t/expected/basic.out index 99020c9439217..7070fb44af8a5 100644 --- a/contrib/pg_tde/t/expected/basic.out +++ b/contrib/pg_tde/t/expected/basic.out @@ -32,6 +32,12 @@ SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_001 (1 row) +SELECT pg_tde_create_key_using_database_key_provider('test-db-key', 'file-vault'); + pg_tde_create_key_using_database_key_provider +----------------------------------------------- + +(1 row) + SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault'); pg_tde_set_key_using_database_key_provider -------------------------------------------- diff --git a/contrib/pg_tde/t/expected/change_key_provider.out b/contrib/pg_tde/t/expected/change_key_provider.out index fc7858c7f684e..cebcfa858ac2d 100644 --- a/contrib/pg_tde/t/expected/change_key_provider.out +++ b/contrib/pg_tde/t/expected/change_key_provider.out @@ -11,6 +11,12 @@ SELECT * FROM pg_tde_list_all_database_key_providers(); 1 | file-vault | file | {"path" : "/tmp/change_key_provider_1.per"} (1 row) +SELECT pg_tde_create_key_using_database_key_provider('test-key', 'file-vault'); + pg_tde_create_key_using_database_key_provider +----------------------------------------------- + +(1 row) + SELECT pg_tde_set_key_using_database_key_provider('test-key', 'file-vault'); pg_tde_set_key_using_database_key_provider -------------------------------------------- diff --git a/contrib/pg_tde/t/expected/crash_recovery.out b/contrib/pg_tde/t/expected/crash_recovery.out index 1bbaf536931f1..6b5958842a3cd 100644 --- a/contrib/pg_tde/t/expected/crash_recovery.out +++ b/contrib/pg_tde/t/expected/crash_recovery.out @@ -5,6 +5,12 @@ SELECT pg_tde_add_global_key_provider_file('global_keyring', '/tmp/crash_recover (1 row) +SELECT pg_tde_create_key_using_global_key_provider('wal_encryption_key', 'global_keyring'); + pg_tde_create_key_using_global_key_provider +--------------------------------------------- + +(1 row) + SELECT pg_tde_set_server_key_using_global_key_provider('wal_encryption_key', 'global_keyring'); pg_tde_set_server_key_using_global_key_provider ------------------------------------------------- @@ -18,6 +24,12 @@ SELECT pg_tde_add_database_key_provider_file('db_keyring', '/tmp/crash_recovery. (1 row) +SELECT pg_tde_create_key_using_database_key_provider('db_key', 'db_keyring'); + pg_tde_create_key_using_database_key_provider +----------------------------------------------- + +(1 row) + SELECT pg_tde_set_key_using_database_key_provider('db_key', 'db_keyring'); pg_tde_set_key_using_database_key_provider -------------------------------------------- @@ -32,6 +44,12 @@ ALTER SYSTEM SET pg_tde.wal_encrypt = 'on'; -- kill -9 -- server start -- rotate wal key +SELECT pg_tde_create_key_using_global_key_provider('wal_encryption_key_1', 'global_keyring'); + pg_tde_create_key_using_global_key_provider +--------------------------------------------- + +(1 row) + SELECT pg_tde_set_server_key_using_global_key_provider('wal_encryption_key_1', 'global_keyring'); pg_tde_set_server_key_using_global_key_provider ------------------------------------------------- @@ -39,6 +57,12 @@ SELECT pg_tde_set_server_key_using_global_key_provider('wal_encryption_key_1', ' (1 row) psql::1: WARNING: The WAL encryption feature is currently in beta and may be unstable. Do not use it in production environments! +SELECT pg_tde_create_key_using_database_key_provider('db_key_1', 'db_keyring'); + pg_tde_create_key_using_database_key_provider +----------------------------------------------- + +(1 row) + SELECT pg_tde_set_key_using_database_key_provider('db_key_1', 'db_keyring'); pg_tde_set_key_using_database_key_provider -------------------------------------------- @@ -50,6 +74,12 @@ INSERT INTO test_enc (x) VALUES (3), (4); -- server start -- check that pg_tde_save_principal_key_redo hasn't destroyed a WAL key created during the server start -- rotate wal key +SELECT pg_tde_create_key_using_global_key_provider('wal_encryption_key_2', 'global_keyring'); + pg_tde_create_key_using_global_key_provider +--------------------------------------------- + +(1 row) + SELECT pg_tde_set_server_key_using_global_key_provider('wal_encryption_key_2', 'global_keyring'); pg_tde_set_server_key_using_global_key_provider ------------------------------------------------- @@ -57,6 +87,12 @@ SELECT pg_tde_set_server_key_using_global_key_provider('wal_encryption_key_2', ' (1 row) psql::1: WARNING: The WAL encryption feature is currently in beta and may be unstable. Do not use it in production environments! +SELECT pg_tde_create_key_using_database_key_provider('db_key_2', 'db_keyring'); + pg_tde_create_key_using_database_key_provider +----------------------------------------------- + +(1 row) + SELECT pg_tde_set_key_using_database_key_provider('db_key_2', 'db_keyring'); pg_tde_set_key_using_database_key_provider -------------------------------------------- diff --git a/contrib/pg_tde/t/expected/key_rotate_tablespace.out b/contrib/pg_tde/t/expected/key_rotate_tablespace.out index 17559d72d24b9..c850828f9f95d 100644 --- a/contrib/pg_tde/t/expected/key_rotate_tablespace.out +++ b/contrib/pg_tde/t/expected/key_rotate_tablespace.out @@ -7,6 +7,12 @@ SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/key_rotate_tabl (1 row) +SELECT pg_tde_create_key_using_database_key_provider('test-db-key', 'file-vault'); + pg_tde_create_key_using_database_key_provider +----------------------------------------------- + +(1 row) + SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault'); pg_tde_set_key_using_database_key_provider -------------------------------------------- @@ -30,6 +36,12 @@ SELECT * FROM country_table; 3 | USA | North America (3 rows) +SELECT pg_tde_create_key_using_database_key_provider('new-k', 'file-vault'); + pg_tde_create_key_using_database_key_provider +----------------------------------------------- + +(1 row) + SELECT pg_tde_set_key_using_database_key_provider('new-k', 'file-vault'); pg_tde_set_key_using_database_key_provider -------------------------------------------- diff --git a/contrib/pg_tde/t/expected/replication.out b/contrib/pg_tde/t/expected/replication.out index 037e04ee662ef..9b44c223f2943 100644 --- a/contrib/pg_tde/t/expected/replication.out +++ b/contrib/pg_tde/t/expected/replication.out @@ -6,6 +6,12 @@ SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/replication.per (1 row) +SELECT pg_tde_create_key_using_database_key_provider('test-key', 'file-vault'); + pg_tde_create_key_using_database_key_provider +----------------------------------------------- + +(1 row) + SELECT pg_tde_set_key_using_database_key_provider('test-key', 'file-vault'); pg_tde_set_key_using_database_key_provider -------------------------------------------- @@ -62,6 +68,12 @@ SELECT pg_tde_add_global_key_provider_file('file-vault', '/tmp/unlogged_tables.p (1 row) +SELECT pg_tde_create_key_using_global_key_provider('test-global-key', 'file-vault'); + pg_tde_create_key_using_global_key_provider +--------------------------------------------- + +(1 row) + SELECT pg_tde_set_server_key_using_global_key_provider('test-global-key', 'file-vault'); pg_tde_set_server_key_using_global_key_provider ------------------------------------------------- diff --git a/contrib/pg_tde/t/expected/rotate_key.out b/contrib/pg_tde/t/expected/rotate_key.out index 7020730ddbd22..4fc776991159c 100644 --- a/contrib/pg_tde/t/expected/rotate_key.out +++ b/contrib/pg_tde/t/expected/rotate_key.out @@ -30,6 +30,12 @@ SELECT pg_tde_list_all_database_key_providers(); (2,file-2,file,"{""path"" : ""/tmp/rotate_key_2.per""}") (2 rows) +SELECT pg_tde_create_key_using_database_key_provider('test-db-key', 'file-vault'); + pg_tde_create_key_using_database_key_provider +----------------------------------------------- + +(1 row) + SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault'); pg_tde_set_key_using_database_key_provider -------------------------------------------- @@ -45,6 +51,12 @@ SELECT * FROM test_enc ORDER BY id; 2 | 6 (2 rows) +SELECT pg_tde_create_key_using_database_key_provider('rotated-key1', 'file-vault'); + pg_tde_create_key_using_database_key_provider +----------------------------------------------- + +(1 row) + SELECT pg_tde_set_key_using_database_key_provider('rotated-key1', 'file-vault'); pg_tde_set_key_using_database_key_provider -------------------------------------------- @@ -78,6 +90,12 @@ SELECT * FROM test_enc ORDER BY id; 2 | 6 (2 rows) +SELECT pg_tde_create_key_using_database_key_provider('rotated-key2', 'file-2'); + pg_tde_create_key_using_database_key_provider +----------------------------------------------- + +(1 row) + SELECT pg_tde_set_key_using_database_key_provider('rotated-key2', 'file-2'); pg_tde_set_key_using_database_key_provider -------------------------------------------- @@ -111,7 +129,13 @@ SELECT * FROM test_enc ORDER BY id; 2 | 6 (2 rows) -SELECT pg_tde_set_key_using_global_key_provider('rotated-key', 'file-3', false); +SELECT pg_tde_create_key_using_global_key_provider('rotated-key', 'file-3'); + pg_tde_create_key_using_global_key_provider +--------------------------------------------- + +(1 row) + +SELECT pg_tde_set_key_using_global_key_provider('rotated-key', 'file-3'); pg_tde_set_key_using_global_key_provider ------------------------------------------ @@ -144,7 +168,13 @@ SELECT * FROM test_enc ORDER BY id; 2 | 6 (2 rows) -SELECT pg_tde_set_key_using_global_key_provider('rotated-keyX', 'file-2', false); +SELECT pg_tde_create_key_using_global_key_provider('rotated-keyX', 'file-2'); + pg_tde_create_key_using_global_key_provider +--------------------------------------------- + +(1 row) + +SELECT pg_tde_set_key_using_global_key_provider('rotated-keyX', 'file-2'); pg_tde_set_key_using_global_key_provider ------------------------------------------ @@ -179,8 +209,12 @@ SELECT * FROM test_enc ORDER BY id; ALTER SYSTEM SET pg_tde.inherit_global_providers = off; -- server restart -SELECT pg_tde_set_key_using_global_key_provider('rotated-keyX2', 'file-2', false); -psql::1: ERROR: Usage of global key providers is disabled. Enable it with pg_tde.inherit_global_providers = ON +SELECT pg_tde_create_key_using_global_key_provider('rotated-keyX2', 'file-2'); +psql::1: ERROR: usage of global key providers is disabled +HINT: Set "pg_tde.inherit_global_providers = on" in postgresql.conf. +SELECT pg_tde_set_key_using_global_key_provider('rotated-keyX2', 'file-2'); +psql::1: ERROR: usage of global key providers is disabled +HINT: Set "pg_tde.inherit_global_providers = on" in postgresql.conf. SELECT provider_id, provider_name, key_name FROM pg_tde_key_info(); provider_id | provider_name | key_name -------------+---------------+-------------- diff --git a/contrib/pg_tde/t/expected/tde_heap.out b/contrib/pg_tde/t/expected/tde_heap.out index f49a3586eb0aa..e0083b15570b0 100644 --- a/contrib/pg_tde/t/expected/tde_heap.out +++ b/contrib/pg_tde/t/expected/tde_heap.out @@ -5,6 +5,12 @@ SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/tde_heap.per'); (1 row) +SELECT pg_tde_create_key_using_database_key_provider('test-db-key', 'file-vault'); + pg_tde_create_key_using_database_key_provider +----------------------------------------------- + +(1 row) + SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault'); pg_tde_set_key_using_database_key_provider -------------------------------------------- diff --git a/contrib/pg_tde/t/expected/unlogged_tables.out b/contrib/pg_tde/t/expected/unlogged_tables.out index b507e48ff3ba4..4c854576016e5 100644 --- a/contrib/pg_tde/t/expected/unlogged_tables.out +++ b/contrib/pg_tde/t/expected/unlogged_tables.out @@ -5,6 +5,12 @@ SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/unlogged_tables (1 row) +SELECT pg_tde_create_key_using_database_key_provider('test-key', 'file-vault'); + pg_tde_create_key_using_database_key_provider +----------------------------------------------- + +(1 row) + SELECT pg_tde_set_key_using_database_key_provider('test-key', 'file-vault'); pg_tde_set_key_using_database_key_provider -------------------------------------------- diff --git a/contrib/pg_tde/t/expected/wal_encrypt.out b/contrib/pg_tde/t/expected/wal_encrypt.out index 6a2bfa6100e8d..a1a22557980a2 100644 --- a/contrib/pg_tde/t/expected/wal_encrypt.out +++ b/contrib/pg_tde/t/expected/wal_encrypt.out @@ -13,6 +13,12 @@ SELECT key_name, provider_name, provider_id FROM pg_tde_server_key_info(); | | (1 row) +SELECT pg_tde_create_key_using_global_key_provider('server-key', 'file-keyring-010'); + pg_tde_create_key_using_global_key_provider +--------------------------------------------- + +(1 row) + SELECT pg_tde_set_server_key_using_global_key_provider('server-key', 'file-keyring-010'); pg_tde_set_server_key_using_global_key_provider ------------------------------------------------- diff --git a/contrib/pg_tde/t/key_rotate_tablespace.pl b/contrib/pg_tde/t/key_rotate_tablespace.pl index 5168d22527924..ff30aa3f33dcc 100644 --- a/contrib/pg_tde/t/key_rotate_tablespace.pl +++ b/contrib/pg_tde/t/key_rotate_tablespace.pl @@ -26,6 +26,9 @@ PGTDE::psql($node, 'tbc', "SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/key_rotate_tablespace.per');" ); +PGTDE::psql($node, 'tbc', + "SELECT pg_tde_create_key_using_database_key_provider('test-db-key', 'file-vault');" +); PGTDE::psql($node, 'tbc', "SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault');" ); @@ -48,7 +51,9 @@ "); PGTDE::psql($node, 'tbc', 'SELECT * FROM country_table;'); - +PGTDE::psql($node, 'tbc', + "SELECT pg_tde_create_key_using_database_key_provider('new-k', 'file-vault');" +); PGTDE::psql($node, 'tbc', "SELECT pg_tde_set_key_using_database_key_provider('new-k', 'file-vault');" ); diff --git a/contrib/pg_tde/t/multiple_extensions.pl b/contrib/pg_tde/t/multiple_extensions.pl index 2137082ca973f..3f52d0ea6528c 100644 --- a/contrib/pg_tde/t/multiple_extensions.pl +++ b/contrib/pg_tde/t/multiple_extensions.pl @@ -123,6 +123,10 @@ 'postgres', "SELECT pg_tde_add_database_key_provider_file('file-provider', json_object('type' VALUE 'file', 'path' VALUE '/tmp/datafile-location'));", extra_params => ['-a']); +$node->psql( + 'postgres', + "SELECT pg_tde_create_key_using_database_key_provider('test-db-key', 'file-provider');", + extra_params => ['-a']); $node->psql( 'postgres', "SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-provider');", diff --git a/contrib/pg_tde/t/pg_waldump_basic.pl b/contrib/pg_tde/t/pg_waldump_basic.pl index 7ec14eed121b6..5f86b7929ce32 100644 --- a/contrib/pg_tde/t/pg_waldump_basic.pl +++ b/contrib/pg_tde/t/pg_waldump_basic.pl @@ -32,6 +32,9 @@ $node->safe_psql('postgres', "SELECT pg_tde_add_global_key_provider_file('file-keyring-wal', '/tmp/pg_waldump_basic.per');" ); +$node->safe_psql('postgres', + "SELECT pg_tde_create_key_using_global_key_provider('server-key', 'file-keyring-wal');" +); $node->safe_psql('postgres', "SELECT pg_tde_set_server_key_using_global_key_provider('server-key', 'file-keyring-wal');" ); diff --git a/contrib/pg_tde/t/pg_waldump_fullpage.pl b/contrib/pg_tde/t/pg_waldump_fullpage.pl index 3caf2cfbcf329..b543b46bea456 100644 --- a/contrib/pg_tde/t/pg_waldump_fullpage.pl +++ b/contrib/pg_tde/t/pg_waldump_fullpage.pl @@ -46,6 +46,9 @@ sub get_block_lsn $node->safe_psql('postgres', "SELECT pg_tde_add_global_key_provider_file('file-keyring-wal', '/tmp/pg_waldump_fullpage.per');" ); +$node->safe_psql('postgres', + "SELECT pg_tde_create_key_using_global_key_provider('server-key', 'file-keyring-wal');" +); $node->safe_psql('postgres', "SELECT pg_tde_set_server_key_using_global_key_provider('server-key', 'file-keyring-wal');" ); diff --git a/contrib/pg_tde/t/replication.pl b/contrib/pg_tde/t/replication.pl index 21fbcdfbd1929..0a53fead4d3cb 100644 --- a/contrib/pg_tde/t/replication.pl +++ b/contrib/pg_tde/t/replication.pl @@ -32,6 +32,9 @@ PGTDE::psql($primary, 'postgres', "SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/replication.per');" ); +PGTDE::psql($primary, 'postgres', + "SELECT pg_tde_create_key_using_database_key_provider('test-key', 'file-vault');" +); PGTDE::psql($primary, 'postgres', "SELECT pg_tde_set_key_using_database_key_provider('test-key', 'file-vault');" ); @@ -65,6 +68,9 @@ PGTDE::psql($primary, 'postgres', "SELECT pg_tde_add_global_key_provider_file('file-vault', '/tmp/unlogged_tables.per');" ); +PGTDE::psql($primary, 'postgres', + "SELECT pg_tde_create_key_using_global_key_provider('test-global-key', 'file-vault');" +); PGTDE::psql($primary, 'postgres', "SELECT pg_tde_set_server_key_using_global_key_provider('test-global-key', 'file-vault');" ); diff --git a/contrib/pg_tde/t/rotate_key.pl b/contrib/pg_tde/t/rotate_key.pl index b60c4b5836186..b836e664d1370 100644 --- a/contrib/pg_tde/t/rotate_key.pl +++ b/contrib/pg_tde/t/rotate_key.pl @@ -36,7 +36,9 @@ PGTDE::psql($node, 'postgres', "SELECT pg_tde_list_all_database_key_providers();"); - +PGTDE::psql($node, 'postgres', + "SELECT pg_tde_create_key_using_database_key_provider('test-db-key', 'file-vault');" +); PGTDE::psql($node, 'postgres', "SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault');" ); @@ -50,6 +52,9 @@ PGTDE::psql($node, 'postgres', 'SELECT * FROM test_enc ORDER BY id;'); # Rotate key +PGTDE::psql($node, 'postgres', + "SELECT pg_tde_create_key_using_database_key_provider('rotated-key1', 'file-vault');" +); PGTDE::psql($node, 'postgres', "SELECT pg_tde_set_key_using_database_key_provider('rotated-key1', 'file-vault');" ); @@ -66,6 +71,9 @@ PGTDE::psql($node, 'postgres', 'SELECT * FROM test_enc ORDER BY id;'); # Again rotate key +PGTDE::psql($node, 'postgres', + "SELECT pg_tde_create_key_using_database_key_provider('rotated-key2', 'file-2');" +); PGTDE::psql($node, 'postgres', "SELECT pg_tde_set_key_using_database_key_provider('rotated-key2', 'file-2');" ); @@ -83,7 +91,10 @@ # Again rotate key PGTDE::psql($node, 'postgres', - "SELECT pg_tde_set_key_using_global_key_provider('rotated-key', 'file-3', false);" + "SELECT pg_tde_create_key_using_global_key_provider('rotated-key', 'file-3');" +); +PGTDE::psql($node, 'postgres', + "SELECT pg_tde_set_key_using_global_key_provider('rotated-key', 'file-3');" ); PGTDE::psql($node, 'postgres', 'SELECT * FROM test_enc ORDER BY id;'); @@ -102,7 +113,10 @@ # Again rotate key PGTDE::psql($node, 'postgres', - "SELECT pg_tde_set_key_using_global_key_provider('rotated-keyX', 'file-2', false);" + "SELECT pg_tde_create_key_using_global_key_provider('rotated-keyX', 'file-2');" +); +PGTDE::psql($node, 'postgres', + "SELECT pg_tde_set_key_using_global_key_provider('rotated-keyX', 'file-2');" ); PGTDE::psql($node, 'postgres', 'SELECT * FROM test_enc ORDER BY id;'); @@ -125,7 +139,10 @@ # But now can't be changed to another global provider PGTDE::psql($node, 'postgres', - "SELECT pg_tde_set_key_using_global_key_provider('rotated-keyX2', 'file-2', false);" + "SELECT pg_tde_create_key_using_global_key_provider('rotated-keyX2', 'file-2');" +); +PGTDE::psql($node, 'postgres', + "SELECT pg_tde_set_key_using_global_key_provider('rotated-keyX2', 'file-2');" ); PGTDE::psql($node, 'postgres', "SELECT provider_id, provider_name, key_name FROM pg_tde_key_info();"); diff --git a/contrib/pg_tde/t/tde_heap.pl b/contrib/pg_tde/t/tde_heap.pl index 1983c1e1b2eca..f0e6c0376b965 100644 --- a/contrib/pg_tde/t/tde_heap.pl +++ b/contrib/pg_tde/t/tde_heap.pl @@ -21,6 +21,9 @@ PGTDE::psql($node, 'postgres', "SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/tde_heap.per');" ); +PGTDE::psql($node, 'postgres', + "SELECT pg_tde_create_key_using_database_key_provider('test-db-key', 'file-vault');" +); PGTDE::psql($node, 'postgres', "SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault');" ); diff --git a/contrib/pg_tde/t/unlogged_tables.pl b/contrib/pg_tde/t/unlogged_tables.pl index 3482d93e05ffd..742240d0f2169 100644 --- a/contrib/pg_tde/t/unlogged_tables.pl +++ b/contrib/pg_tde/t/unlogged_tables.pl @@ -20,6 +20,9 @@ PGTDE::psql($node, 'postgres', "SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/unlogged_tables.per');" ); +PGTDE::psql($node, 'postgres', + "SELECT pg_tde_create_key_using_database_key_provider('test-key', 'file-vault');" +); PGTDE::psql($node, 'postgres', "SELECT pg_tde_set_key_using_database_key_provider('test-key', 'file-vault');" ); diff --git a/contrib/pg_tde/t/wal_encrypt.pl b/contrib/pg_tde/t/wal_encrypt.pl index 42ef87fe3682c..33b3adfa7136e 100644 --- a/contrib/pg_tde/t/wal_encrypt.pl +++ b/contrib/pg_tde/t/wal_encrypt.pl @@ -31,6 +31,9 @@ 'SELECT key_name, provider_name, provider_id FROM pg_tde_server_key_info();' ); +PGTDE::psql($node, 'postgres', + "SELECT pg_tde_create_key_using_global_key_provider('server-key', 'file-keyring-010');" +); PGTDE::psql($node, 'postgres', "SELECT pg_tde_set_server_key_using_global_key_provider('server-key', 'file-keyring-010');" );