diff --git a/contrib/pg_tde/documentation/docs/setup.md b/contrib/pg_tde/documentation/docs/setup.md index a83546a83f095..73cafba216c50 100644 --- a/contrib/pg_tde/documentation/docs/setup.md +++ b/contrib/pg_tde/documentation/docs/setup.md @@ -11,7 +11,7 @@ The `pg_tde` extension requires additional shared memory. You need to configure You can configure the `shared_preload_libraries` parameter in two ways: -* Add the following line to the `shared_preload_libraries` file: +* Add the following line to the `postgresql.conf` file: ```bash shared_preload_libraries = 'pg_tde' @@ -50,20 +50,18 @@ CREATE EXTENSION pg_tde; See [CREATE EXTENSION :octicons-link-external-16:](https://www.postgresql.org/docs/current/sql-createextension.html) for more details. !!! note - The `pg_tde` extension is created only for the current database. To enable it for other databases, you must run the command in each individual database. ## 4. (Optional) Enable pg_tde by default To automatically have `pg_tde` enabled for all new databases, modify the `template1` database: -``` +```sql psql -d template1 -c 'CREATE EXTENSION pg_tde;' ``` !!! note - - You can use external key providers to manage encryption keys. The recommended approach is to use the Key Management Store (KMS). See the next step on how to configure the KMS. + It’s recommended to use an external key provider (KMS) to manage encryption keys. For configuration instructions, see [Next steps](#next-steps). ## Next steps diff --git a/contrib/pg_tde/documentation/docs/test.md b/contrib/pg_tde/documentation/docs/test.md index c0cf972cc0b4a..5cd23584955c2 100644 --- a/contrib/pg_tde/documentation/docs/test.md +++ b/contrib/pg_tde/documentation/docs/test.md @@ -29,7 +29,7 @@ After enabling the `pg_tde` extension for a database, you can begin encrypting d SELECT pg_tde_is_encrypted('table_name'); ``` - The function returns `t` if the table is encrypted and `f` - if not. + The function returns `true` or `false`. The psql client specifically renders them as `t` or `f` respectively. 3. (Optional) Rotate the principal key. diff --git a/contrib/pg_tde/documentation/docs/variables.md b/contrib/pg_tde/documentation/docs/variables.md index 9947eacc385fe..ffbde8744892e 100644 --- a/contrib/pg_tde/documentation/docs/variables.md +++ b/contrib/pg_tde/documentation/docs/variables.md @@ -17,7 +17,10 @@ This variable only controls new writes to the WAL, it doesn't affect existing WA `pg_tde` is always capable of reading existing encrypted WAL records, as long as the keys used for the encryption are still available. -Enabling WAL encryption requires a configured global principal key. Refer to the [WAL encryption configuration](wal-encryption.md) documentation for more information. +Enabling WAL encryption requires a configured global principal key. Refer to the [WAL encryption configuration](wal-encryption.md) topic for more information. + +!!! warning + The WAL encryption feature is currently in beta and is not effective unless explicitly enabled. It is not yet production ready. **Do not enable this feature in production environments**. ## pg_tde.enforce_encryption diff --git a/contrib/pg_tde/documentation/docs/yum.md b/contrib/pg_tde/documentation/docs/yum.md index d87f81e521cbc..4d21ca12fe1c7 100644 --- a/contrib/pg_tde/documentation/docs/yum.md +++ b/contrib/pg_tde/documentation/docs/yum.md @@ -8,10 +8,12 @@ Make sure you check the [list of supported platforms](install.md#__tabbed_1_1) b The `pg_tde` uses memory locks (mlocks) to keep internal encryption keys in RAM, both for WAL and for user data. -A memory lock (`mlock`) is a system call to lock a specified memory range in RAM for a process. The maximum amount of memory that can be locked differs between systems. You can check the current setting with this command: +A memory lock (`mlock`) is a system call that prevents specified memory ranges from being swapped to disk. Some libraries, such as OpenSSL, may use `mlock` internally to protect sensitive data like encryption keys. However, `pg_tde` does not directly invoke `mlock` in its own code. + +You can check the current system limits for locked memory using: ```bash - ulimit -a +ulimit -a ``` Memory locking is done only in memory pages. This means that when a process uses `mlocks`, it locks the entire memory page.