To enable Transparent Data Encryption (TDE), you must provide the required vault
environment variables and include the --tde-kek-url
flag within the POSTGRES_INITDB_ARGS
.
Before you begin
- Configure HashiCorp Vault's KV-V2 secrets engine to ensure that the Key Encryption Key (KEK) path and JSON Web Token (JWT) is available.
- Ensure that AlloyDB Omni has permission to read the JWT token file.
Create the cluster
To create a TDE-enabled cluster, you must pass the necessary Key Management
Service (KMS) configuration and authentication credentials during the
initialization of the database. The only supported authentication type is jwt
.
Select the tab for your container runtime.
Docker
docker run -d --name CONTAINER_NAME \ --network host \ -v DATA_DIR :/var/lib/postgresql/data \ -v VAULT_CERT_PATH_ON_DISK : VAULT_CERT_PATH \ -e VAULT_AUTH_TYPE=jwt \ -e VAULT_AUTH_MOUNT= JWT_AUTH_ENGINE_MOUNT \ -e VAULT_JWT_PATH= JWT_FILE_PATH \ -e VAULT_ROLE= VAULT_ROLE \ -e VAULT_CERT_PATH= VAULT_CERT_PATH \ -e POSTGRES_INITDB_ARGS=" \ --tde-kek-url= KEK_URL " \ google/alloydbomni: IMAGE_TAG
Docker
docker run -d --name CONTAINER_NAME \ --network host \ -v DATA_DIR :/var/lib/postgresql/data \ -v VAULT_CERT_PATH_ON_DISK : VAULT_CERT_PATH \ -e VAULT_AUTH_TYPE=jwt \ -e VAULT_AUTH_MOUNT= JWT_AUTH_ENGINE_MOUNT \ -e VAULT_JWT_PATH= JWT_FILE_PATH \ -e VAULT_ROLE= VAULT_ROLE \ -e VAULT_CERT_PATH= VAULT_CERT_PATH \ -e POSTGRES_INITDB_ARGS=" \ --tde-kek-url= KEK_URL " \ google/alloydbomni: IMAGE_TAG
Podman
podman run -d --name CONTAINER_NAME \ --network host \ -v DATA_DIR :/var/lib/postgresql/data \ -v VAULT_CERT_PATH_ON_DISK : VAULT_CERT_PATH \ -e VAULT_AUTH_TYPE=jwt \ -e VAULT_AUTH_MOUNT= JWT_AUTH_ENGINE_MOUNT \ -e VAULT_JWT_PATH= JWT_FILE_PATH \ -e VAULT_ROLE= VAULT_ROLE \ -e VAULT_CERT_PATH= VAULT_CERT_PATH \ -e POSTGRES_INITDB_ARGS=" \ --tde-kek-url= KEK_URL " \ google/alloydbomni: IMAGE_TAG
Podman
podman run -d --name CONTAINER_NAME \ --network host \ -v DATA_DIR :/var/lib/postgresql/data \ -v VAULT_CERT_PATH_ON_DISK : VAULT_CERT_PATH \ -e VAULT_AUTH_TYPE=jwt \ -e VAULT_AUTH_MOUNT= JWT_AUTH_ENGINE_MOUNT \ -e VAULT_JWT_PATH= JWT_FILE_PATH \ -e VAULT_ROLE= VAULT_ROLE \ -e VAULT_CERT_PATH= VAULT_CERT_PATH \ -e POSTGRES_INITDB_ARGS=" \ --tde-kek-url= KEK_URL " \ google/alloydbomni: IMAGE_TAG
Replace the following:
-
CONTAINER_NAME: the name of the container to create. For example,alloydb-tde. -
DATA_DIR: the local directory to mount as the data volume for AlloyDB Omni. For example,/local/data. -
VAULT_AUTH_TYPE: the type of authentication to use for the vault connection. Onlyjwtis supported. -
JWT_AUTH_ENGINE_MOUNT: path where the HashiCorp Vault authentication engine is mounted. For example,/auth/jwt. -
JWT_FILE_PATH: path where vault JWT is stored on your nodes. For example,tde-tls/jwt-token. - (Optional)
VAULT_ROLE: the client role defined in your vault setup that lets HashiCorp Vault verify the JWT token authenticity. -
VAULT_CERT_PATH_ON_DISK: path to vault certs on host machine. For example,/local/vault/config. -
VAULT_CERT_PATH: path where the certificates for the vault connection are located in your container. For example,/tde-tls. If not set, the certificates in the default trust store are used. -
KEK_URL: The fully qualified URL to the KEK in HashiCorp Vault. Usevaultas the protocol to specify HashiCorp Vault as the KMS provider—for example,vault://127.0.0.1:8200/v1/secrets/data/alloydb_kek. -
IMAGE_TAG: Use18.1.0for the latest Debian image or18.1.0-ubifor the latest UBI image.
View TDE metrics
After the cluster is initialized, complete the following steps to verify that TDE is enabled and view related TDE metrics.
- Connect to your database using
psqlor your preferred client. For detailed instructions on connecting to your instances, see Run and connect to AlloyDB Omni . -
Run the following command:
select * FROM pgsnap . g $ tde_stats ;The output shows TDE metrics such as whether TDE is enabled, the KEK URL, KEK version, and KEK creation timestamp.
The following table explains what each metric means.
NameDescriptionLabelUnitTypealloydb_omni_database_tde_data_blocks_decrypted_count_totalNumber of data blocks decrypted.Not applicablecounteralloydb_omni_database_tde_data_blocks_encrypted_count_totalNumber of data blocks encrypted.Not applicablecounteralloydb_omni_database_tde_data_decryption_time_us_totalTotal time spent in data block decryption.Not applicablemicrosecondscounteralloydb_omni_database_tde_data_encryption_time_us_totalTotal time spent in data block encryption.Not applicablemicrosecondscounteralloydb_omni_database_tde_enabledTDE enabled status.Not applicablegaugealloydb_omni_database_tde_kek_infoTDE KEK information.-
kek_version: Version of the KEK
in use for key wrapping. -
kek_url: Fully qualified path
to KEK in KMS -
kek_creation_timestamp:
Creation time of the KEK version in use.
gaugealloydb_omni_database_tde_temp_blocks_decrypted_count_totalNumber of temporary blocks decrypted.Not applicablecounteralloydb_omni_database_tde_temp_blocks_encrypted_count_totalNumber of temporary blocks encrypted.Not applicablecounteralloydb_omni_database_tde_temp_decryption_time_us_totalTotal time spent in temporary block decryption.Not applicablemicrosecondscounteralloydb_omni_database_tde_temp_encryption_time_us_totalTotal time spent in temporary block encryption.Not applicablemicrosecondscounteralloydb_omni_database_tde_wal_blocks_decrypted_count_totalNumber of WAL blocks decrypted.Not applicablecounteralloydb_omni_database_tde_wal_blocks_encrypted_count_totalNumber of WAL blocks encrypted.Not applicablecounteralloydb_omni_database_tde_wal_decryption_time_us_totalTotal time spent in WAL block decryption.Not applicablemicrosecondscounteralloydb_omni_database_tde_wal_encryption_time_us_totalTotal time spent in WAL block encryption.Not applicablemicrosecondscounter -
