-
Notifications
You must be signed in to change notification settings - Fork 19
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
07fe8e4
commit 1c39a78
Showing
4 changed files
with
383 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
[data-md-color-scheme="percona-light"] { | ||
--md-primary-fg-color: #0d184c; | ||
--md-primary-fg-color--light: #3e4875; | ||
--md-default-fg-color--lightest: #9096b0; | ||
--md-primary-fg-color--dark: #080e2e; | ||
--md-typeset-a-color: #2cbea2; | ||
} | ||
[data-md-color-scheme="slate"] { | ||
--md-primary-fg-color: #0d184c; | ||
/* | ||
--md-primary-fg-color--light: #3e4875; | ||
--md-primary-fg-color--dark: #080e2e; | ||
*/ | ||
--md-typeset-a-color: #2cbea2; | ||
--md-hue: 210; /* [0, 360] */ | ||
} | ||
ul li p { | ||
margin: 0; | ||
} | ||
|
||
.md-clipboard { | ||
color: #2cbea2; | ||
} | ||
|
||
.md-typeset { | ||
font-size: .7rem; | ||
line-height: 1.5; | ||
} | ||
|
||
.md-typeset h1 { | ||
color: var(--md-default-fg-color--light); | ||
font-size: 2em; | ||
font-weight: 400; | ||
line-height: 1.3; | ||
margin: 0 0 0.9em; | ||
} | ||
|
||
.md-typeset h2 { | ||
font-size: 1.5625em; | ||
line-height: 1.4; | ||
margin: 1em 0 .54em; | ||
} | ||
|
||
.md-typeset .md-button { | ||
border: .1rem solid; | ||
border-radius: 50px; | ||
color: var(--md-typeset-a-color); | ||
cursor: pointer; | ||
display: inline-block; | ||
font-weight: 700; | ||
padding: .625em 2em; | ||
transition:color 125ms, background-color 125ms, border-color 125ms | ||
} | ||
|
||
.md-typeset .md-button--primary { | ||
background-color: var(--md-typeset-a-color); | ||
border-color: var(--md-typeset-a-color); | ||
color:var(--md-primary-bg-color) | ||
} | ||
|
||
.md-typeset .md-button:focus, .md-typeset .md-button:hover { | ||
background-color: var(--md-accent-fg-color); | ||
border-color: var(--md-accent-fg-color); | ||
color:var(--md-accent-bg-color) | ||
} | ||
|
||
/*.git-revision-date-localized-plugin:before { | ||
content: url('https://api.iconify.design/mdi/clock-edit-outline.svg'); | ||
}*/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,145 @@ | ||
# `pg_tde` documentation | ||
|
||
`pg_tde` is the extension that brings in [Transparent Data Encryption (TDE)](tde.md) to PostgreSQL and enables users to keep sensitive data safe and secure. | ||
|
||
**NOTE**: This is the MVP version of the extension. | ||
|
||
`pg_tde` encrypts the following: | ||
|
||
* user data in tables, including TOAST tables, that are created using the extension. Metadata of those tables is not encrypted. | ||
* Write-Ahead Log (WAL) files and temporary tables created during the database operation. Note that only WAL records for tables created using the extension and temporary tables associated with those data tables are encrypted. | ||
|
||
The encryption of indexes is planned for the next releases of `pg_tde`. | ||
|
||
## Supported PostgreSQL versions | ||
|
||
`pg_tde` is currently supported for Percona Distribution for PostgreSQL 16 and PostgreSQL 16. | ||
|
||
## Installation | ||
|
||
Install `pg_tde` using one of available installation methods: | ||
|
||
* [build from source](#build-from-source) | ||
* [install from a package manually](#install-from-package). Currently only DEB packages are available. | ||
* [run in Docker] | ||
|
||
### Build from source | ||
|
||
1. To build `pg_tde` from source code, you require the following on Ubuntu/Debian: | ||
|
||
```sh | ||
sudo apt install make gcc libjson-c-dev postgresql-server-dev-16 | ||
``` | ||
|
||
2. [Install Percona Distribution for PostgreSQL 16] or [upstream PostgreSQL 16] | ||
3. If PostgreSQL is installed in a non standard directory, set the `PG_CONFIG` environment variable to point to the `pg_config` executable | ||
|
||
4. Clone the repository: | ||
|
||
``` | ||
git clone git://github.com/Percona-Lab/postgres-tde-ext | ||
``` | ||
|
||
5. Compile and install the extension | ||
|
||
``` | ||
cd postgres-tde-ext | ||
make USE_PGXS=1 | ||
sudo make USE_PGXS=1 install | ||
``` | ||
|
||
### Install from package | ||
|
||
Currently only DEB packages are available. If you are running RPM-based operating system, consider [building the extension from source](#build-from-source) or [running it in Docker](#run-in-docker) | ||
|
||
1. Download the latest [release package](https://github.com/Percona-Lab/postgres-tde-ext/releases) | ||
|
||
``` sh | ||
wget https://github.com/Percona-Lab/postgres-tde-ext/releases/download/latest/pgtde-pgdg16.deb | ||
``` | ||
|
||
2. Install the package | ||
|
||
``` sh | ||
sudo dpkg -i pgtde-pgdg16.deb | ||
``` | ||
|
||
### Run in Docker | ||
|
||
You can find Docker images built from the current main branch on [Docker Hub](https://hub.docker.com/r/perconalab/postgres-tde-ext). Images are built on top of [postgres:16](https://hub.docker.com/_/postgres) official image. | ||
|
||
To run `pg_tde` in Docker, use the following command: | ||
|
||
``` | ||
docker run --name pg-tde -e POSTGRES_PASSWORD=mysecretpassword -d perconalab/postgres-tde-ext | ||
``` | ||
|
||
It builds and adds `pg_tde` extension to PostgreSQL 16. Relevant `postgresql.conf` and `tde_conf.json` are created in `/etc/postgresql/` inside the container. This directory is exposed as a volume. | ||
|
||
See [Docker Docs](https://hub.docker.com/_/postgres) on usage. | ||
|
||
You can also build a Docker image manually with: | ||
|
||
``` | ||
docker build . -f ./docker/Dockerfile -t your-image-name | ||
``` | ||
|
||
## Setup | ||
|
||
1. Load the `pg_tde` at the start time. The extension requires additional shared memory; therefore, add the `pg_tde` value for the `shared_preload_libraries` parameter and restart the `postgresql` instance. | ||
|
||
2. Start or restart the `postgresql` instance to apply the changes. | ||
|
||
* On Debian and Ubuntu: | ||
|
||
```sh | ||
sudo systemctl restart postgresql.service | ||
``` | ||
|
||
* On RHEL and derivatives | ||
|
||
```sh | ||
sudo systemctl restart postgresql-16 | ||
``` | ||
|
||
3. Create the extension using the [CREATE EXTENSION](https://www.postgresql.org/docs/current/sql-createextension.html) command. Using this command requires the privileges of a superuser or a database owner. Connect to `psql` as a superuser for a database and run the following command: | ||
|
||
```sql | ||
CREATE EXTENSION pg_tde; | ||
``` | ||
|
||
4. Set the location of the keyring configuration file in postgresql.conf: `pg_tde.keyringConfigFile = '/where/to/put/the/keyring.json'` | ||
5. Create the [keyring configuration file](#keyring-configuration) | ||
6. Start or restart the `postgresql` instance to apply the changes. | ||
|
||
* On Debian and Ubuntu: | ||
|
||
```sh | ||
sudo systemctl restart postgresql.service | ||
``` | ||
|
||
* On RHEL and derivatives | ||
|
||
```sh | ||
sudo systemctl restart postgresql-16 | ||
``` | ||
|
||
### Keyring configuration | ||
|
||
```json | ||
{ | ||
'provider': 'file', | ||
'datafile': '/tmp/pgkeyring', | ||
} | ||
``` | ||
|
||
Currently the keyring configuration only supports the file provider, with a single datafile parameter. | ||
|
||
This datafile is created and managed by PostgreSQL, the only requirement is that `postgres` should be able to write to the specified path. | ||
|
||
This setup is intended for developmenet, and stores the keys unencrypted in the specified data file. | ||
|
||
## Useful links: | ||
|
||
* [What is TDE](tde.md) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
# What is Transparent Data Encryption (TDE) | ||
|
||
Transparent Data Encryption offers encryption at the file level and solves the problem of protecting data at rest. The encryption is completely transparent for users allowing them to access and manipulate the data and not to worry about the encryption process. | ||
|
||
## Why do you need TDE? | ||
|
||
Using TDE has the following benefits: | ||
|
||
* For organizations: | ||
|
||
- Ensure data safety when at rest and in motion | ||
- Comply with security standards like HIPAA, PCI DSS, SOC 2, ISO 27001 | ||
|
||
* For DBAs: | ||
|
||
- Allows defining what to encrypt in the table and with what key | ||
- Encryption on storage level is not a must to provide data safety. However, using TDE and storage-level encryption together adds another layer of data security |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,152 @@ | ||
# MkDocs general configuration | ||
|
||
site_name: pg_stat_monitor Documentation | ||
site_description: Documentation | ||
site_author: Percona LLC | ||
copyright: > | ||
<a href="https://www.percona.com/about">Percona LLC</a> and/or its affiliates © 2023 — <a href="#__consent">Cookie Consent</a> | ||
repo_name: percona/pgsm-docs | ||
repo_url: https://github.com/percona/pgsm-docs | ||
edit_uri: edit/main/docs/ | ||
|
||
use_directory_urls: false | ||
|
||
# Theme settings | ||
theme: | ||
name: material | ||
logo: _images/percona-logo.svg | ||
favicon: _images/percona-favicon.ico | ||
custom_dir: _resource/overrides | ||
font: | ||
text: Poppins | ||
|
||
palette: | ||
|
||
# Light mode | ||
- media: "(prefers-color-scheme: light)" | ||
scheme: percona-light | ||
toggle: | ||
icon: material/toggle-switch-off-outline | ||
name: Switch to dark mode | ||
|
||
# Dark mode | ||
- media: "(prefers-color-scheme: dark)" | ||
scheme: slate | ||
toggle: | ||
icon: material/toggle-switch | ||
name: Switch to light mode | ||
|
||
# Theme features | ||
|
||
features: | ||
- search.share | ||
- search.highlight | ||
- content.code.copy | ||
- content.action.view | ||
- content.action.edit | ||
- content.tabs.link | ||
- navigation.top | ||
- navigation.tracking | ||
|
||
|
||
extra_css: | ||
- https://unicons.iconscout.com/release/v3.0.3/css/line.css | ||
- https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.4.0/css/font-awesome.min.css | ||
- css/version-select.css | ||
- css/toctree.css | ||
- css/percona.css | ||
- css/extra.css | ||
|
||
extra_javascript: | ||
- js/version-select.js | ||
- js/promptremover.js | ||
|
||
markdown_extensions: | ||
- attr_list | ||
- toc: | ||
permalink: True | ||
- admonition | ||
- footnotes | ||
- def_list # https://michelf.ca/projects/php-markdown/extra/#def-list | ||
- meta | ||
- smarty: | ||
smart_angled_quotes: true | ||
- pymdownx.mark | ||
- pymdownx.smartsymbols | ||
- pymdownx.tilde | ||
- pymdownx.superfences | ||
- pymdownx.tabbed: | ||
alternate_style: true | ||
- pymdownx.tilde | ||
- pymdownx.superfences | ||
- pymdownx.details | ||
- pymdownx.highlight: | ||
linenums: false | ||
- pymdownx.emoji: | ||
emoji_index: !!python/name:materialx.emoji.twemoji | ||
emoji_generator: !!python/name:materialx.emoji.to_svg | ||
|
||
|
||
plugins: | ||
- search: | ||
separator: '[\s\-,:!=\[\]()"/]+|(?!\b)(?=[A-Z][a-z])|\.(?!\d)|&[lg]t;' | ||
- git-revision-date-localized: | ||
enable_creation_date: true | ||
enabled: !ENV [ENABLED_GIT_REVISION_DATE, True] | ||
- meta-descriptions: | ||
export_csv: false | ||
quiet: false | ||
enable_checks: false | ||
min_length: 50 | ||
max_length: 160 | ||
- section-index # Adds links to nodes - comment out when creating PDF | ||
# - htmlproofer # Uncomment to check links - but extends build time significantly | ||
- macros: | ||
include_yaml: | ||
- 'variables.yml' # Use in markdown as '{{ VAR }}' | ||
|
||
extra: | ||
version: | ||
provider: mike | ||
homepage: https://docs.percona.com | ||
consent: | ||
title: Cookie consent | ||
description: >- | ||
We use cookies to recognize your repeated visits and preferences, as well | ||
as to measure the effectiveness of our documentation and whether users | ||
find what they're searching for. With your consent, you're helping us to | ||
make our documentation better. Read more about <a class="reference external" href="https://www.percona.com/20180524-cookie-policy" target="_blank">Percona Cookie Policy</a>. | ||
nav: | ||
- Home: index.md | ||
- comparison.md | ||
- Release notes: | ||
- Release notes index: release-notes/release_notes.md | ||
- release_notes/2.0.3.md | ||
- release_notes/2.0.2.md | ||
- release-notes/2.0.1.md | ||
- release-notes/2.0.0.md | ||
- release-notes/1.x.md | ||
- Install and set up: | ||
- "Install": "install.md" | ||
- "Set up": "setup.md" | ||
- Upgrade: upgrade.md | ||
- User guide: | ||
- "Features": "user_guide.md" | ||
- views.md | ||
- functions.md | ||
- pmm.md | ||
- How to: | ||
- Auto-create pg_stat_monitor for new databases: auto-enable.md | ||
- Reference: | ||
- pg_stat_monitor view reference: | ||
- reference.md | ||
- configuration.md | ||
- Uninstall: uninstall.md | ||
- contributing.md | ||
- copyright.md | ||
- trademark-policy.md | ||
# - Version Selector: "../" | ||
|