initdb TDE options
To enable encryption, use the following options with the initdb
command.
Option: --data-encryption
or -y
Adds transparent data encryption when initializing a database server.
Supported values
You can optionally specify an AES key length. Valid values are 128 and 256. The default is 128.
Option: --key-wrap-command=<command>
Provides the wrapping/encryption command to protect the data encryption key.
Supported values
<command>
is customizable, but it must contain the placeholder %p
. See Wrapping commands for examples and information. See Securing the data encryption key for an overview of available wrapping mechanisms.
If not specified, TDE falls back on the environment variable PGDATAKEYWRAPCMD
.
Use -
if you don't want to apply a wrapping mechanism.
Option: --key-unwrap-command=<command>
Provides the unwrapping/decryption command to access the data encryption key.
Supported values
<command>
is customizable, but it must contain the placeholder %p
. See Configuring wrapping commands for examples and information.
If not specified, TDE falls back on the environment variable PGDATAKEYUNWRAPCMD
.
Use -
if you didn't apply a wrapping mechanism.
Option: --no-key-wrap
Disables the key wrapping. The data encryption key is instead stored in plaintext in the data directory. (This option is a shortcut for setting both the wrap and the unwrap command to the special value -
.)
Note
Using this option isn't secure. Use it only for testing purposes.
If you select data encryption and don't specify this option, then you must provide a key wrap and unwrap command. Otherwise, initdb
terminates with an error.
Supported values
The --no-key-wrap
option doesn't require specifying any values.
Option: --copy-key-from=<file>
Copies an existing data encryption key from the provided location. For example, when reusing a key from an existing server during an upgrade with pg_upgrade.
Supported values
<file>
is the directory to the existing key. Normally, encryption keys are stored in pg_encryption/key.bin
.