TDE(Transparent Data Encryption) is to store all files constituting the database cluster securely on the disk in an encrypted format (static data encryption), and then decrypt them when reading blocks from the disk. Data is unencrypted in memory.

TDE has the following characteristics:

During startup, the server can access the key of the initialization database and provide the encryption key through a special configuration parameter, which specifies a custom key setting command for realizing special security requirements. TDE internally uses the industry standard 128 bit aes-ctr encryption algorithm to encrypt / decrypt data blocks on the disk.

Use lt_initdb passes in the TDE key through the -K option. Before creating a database instance, you must write some code to ensure that the database can read the key during startup and instance creation. Note that this key is never visible to anybody but the database server. The key must be a 32 byte hexadecimal string, or an error will be reported when initializing the instance:

    fatal: encryption key is too short, should be a 32 character hex key
    

Here is an example:

    cat /somewhere/provide_key.sh
    #!/bin/sh
    echo 882fb7c12e80280fd664c69d2d636913
    

All you need is a program that prints the key to stdout, and make sure that LightDB is able to execute this program:

    chmod +x /somewhere/provide_key.sh
    

Create a database instance:

    lt_initdb -p 5432 -D ./data -K /somewhere/provide_key.sh
    

You can use lt_controldata to determine whether the current instance has used transparent encryption. At the end of the listing, you can find the encryption details.

The GUC parameter of lightdb_encryption_key_command will exist in the lightdb.conf configuration file, which ensures that the TDE key will be read again after each restart of the data.

Note that we don’t currently support in-place encryption of existing clusters. You will need to perform a dump and reload to an encrypted instance, or use logical replication to perform the migration online.