Using TDE initialization options
Initializing a TDE-enabled server requires two mandatory settings: one enables TDE and the other protects the data encryption key.
To enable TDE
To create a TDE-enabled database server, you must use the --data-encryption
option, which creates a data encryption key to encrypt your server.
If you want to copy a key from an existing cluster when preparing a new cluster as a target for pg_upgrade, additionally use the --copy-key-from=<file>
option.
To protect the data encryption key
When creating a TDE-enabled database, TDE generates a data encryption key that is transparent to the user.
An additional protection mechanism in the form or a wrapping and an unwrapping command is required to wrap this key, which you must make available to the database server.
See Providing the wrapping and unwrapping commands to TDE for an overview of the available protection mechanism, and examples of how to provide this configuration to initdb
.
Options reference
See initdb TDE options for an overview of all mandatory and elective options and supported values.