From 3ddda4fccd7187c186afd42a160d2df29e6d0ac9 Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Mon, 26 May 2025 17:06:49 +0300 Subject: [PATCH 1/7] updated with new fortanix file Since we can use Fortanix, I added it to the config KMIP section, it tells the user where to look for more details on setting it up and provides a bit of examples with pg_tde_add_global_key_provider_kmip --- .../kmip-fortanix.md | 25 +++++++++++++++++++ contrib/pg_tde/documentation/mkdocs.yml | 1 + 2 files changed, 26 insertions(+) create mode 100644 contrib/pg_tde/documentation/docs/global-key-provider-configuration/kmip-fortanix.md diff --git a/contrib/pg_tde/documentation/docs/global-key-provider-configuration/kmip-fortanix.md b/contrib/pg_tde/documentation/docs/global-key-provider-configuration/kmip-fortanix.md new file mode 100644 index 0000000000000..acb683ba0f1f3 --- /dev/null +++ b/contrib/pg_tde/documentation/docs/global-key-provider-configuration/kmip-fortanix.md @@ -0,0 +1,25 @@ +# Fortanix KMIP Server Configuration + +`pg_tde` is compatible with Fortanix Data Security Manager (DSM) via the KMIP protocol. For a full setup guide, see [the Fortanix documentation here](https://support.fortanix.com/docs/using-fortanix-data-security-manager-with-edb-postgres-for-tde). + +## Recommended Configuration Steps + +1. Enable KMIP for your Fortanix DSM instance. +2. Generate or obtain a client certificate and private key from Fortanix DSM. +3. Ensure you store the certificates securely and enable them for PostgreSQL. + +## Example Configuration SQL + +```sql +SELECT pg_tde_add_global_key_provider_kmip( + 'fortanix_kms_provider', + 'kms.fortanix.com', + 5696, + '/path/to/fortanix-client-cert.pem', + '/path/to/fortanix-client-key.pem', + '/path/to/fortanix-ca-cert.pem' +); +``` + +!!! note + Replace the above paths with the actual certificate locations on your PostgreSQL host. diff --git a/contrib/pg_tde/documentation/mkdocs.yml b/contrib/pg_tde/documentation/mkdocs.yml index f0a31fda328e8..e1c377893fdcc 100644 --- a/contrib/pg_tde/documentation/mkdocs.yml +++ b/contrib/pg_tde/documentation/mkdocs.yml @@ -170,6 +170,7 @@ nav: - "2.1 Configure Key Management (KMS)": - "2.1 Configure Key Management (KMS)": global-key-provider-configuration/index.md - "KMIP Configuration": global-key-provider-configuration/kmip-server.md + - "Fortanix Configuration": global-key-provider-configuration/kmip-fortanix.md - "Vault Configuration": global-key-provider-configuration/vault.md - "Keyring File Configuration": global-key-provider-configuration/keyring.md - "2.2 Global Principal Key Configuration": global-key-provider-configuration/set-principal-key.md From aae0ecf690dbc93c13024590b3f419f039f9e037 Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Wed, 28 May 2025 15:11:39 +0300 Subject: [PATCH 2/7] Update kmip-fortanix.md updated the SELECT example with clarification and updated the link for the KMIP (generic client install) Added a note to reinforce the region requirement --- .../kmip-fortanix.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/contrib/pg_tde/documentation/docs/global-key-provider-configuration/kmip-fortanix.md b/contrib/pg_tde/documentation/docs/global-key-provider-configuration/kmip-fortanix.md index acb683ba0f1f3..ef6a472babded 100644 --- a/contrib/pg_tde/documentation/docs/global-key-provider-configuration/kmip-fortanix.md +++ b/contrib/pg_tde/documentation/docs/global-key-provider-configuration/kmip-fortanix.md @@ -1,10 +1,10 @@ # Fortanix KMIP Server Configuration -`pg_tde` is compatible with Fortanix Data Security Manager (DSM) via the KMIP protocol. For a full setup guide, see [the Fortanix documentation here](https://support.fortanix.com/docs/using-fortanix-data-security-manager-with-edb-postgres-for-tde). +`pg_tde` is compatible with Fortanix Data Security Manager (DSM) via the KMIP protocol. For a full setup guide, see [the Fortanix KMIP documentation here](https://support.fortanix.com/docs/users-guide-account-client-configurations?highlight=KMIP#23-kmip-clients). ## Recommended Configuration Steps -1. Enable KMIP for your Fortanix DSM instance. +1. To setup (https://support.fortanix.com/docs/using-fortanix-data-security-manager-for-percona-mysql-encryption-at-rest) 2. Generate or obtain a client certificate and private key from Fortanix DSM. 3. Ensure you store the certificates securely and enable them for PostgreSQL. @@ -13,7 +13,7 @@ ```sql SELECT pg_tde_add_global_key_provider_kmip( 'fortanix_kms_provider', - 'kms.fortanix.com', + 'your-region.kms.fortanix.com', -- Replace with your actual Fortanix DSM endpoint 5696, '/path/to/fortanix-client-cert.pem', '/path/to/fortanix-client-key.pem', @@ -21,5 +21,10 @@ SELECT pg_tde_add_global_key_provider_kmip( ); ``` +!!! note + Replace 'your-region.kms.fortanix.com' with the actual KMIP endpoint for your Fortanix DSM instance. + Fortanix uses region-specific or tenant-specific KMIP domains (e.g., eu.kms.fortanix.com, us.kms.fortanix.com). + Refer to your DSM dashboard or administrator to confirm the correct value. + !!! note Replace the above paths with the actual certificate locations on your PostgreSQL host. From 91e3e05e0491f5612274a5b241f3f32d949db831 Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Mon, 2 Jun 2025 15:02:47 +0300 Subject: [PATCH 3/7] Update kmip-fortanix.md updated setup step 1 from recommended steps --- .../docs/global-key-provider-configuration/kmip-fortanix.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/pg_tde/documentation/docs/global-key-provider-configuration/kmip-fortanix.md b/contrib/pg_tde/documentation/docs/global-key-provider-configuration/kmip-fortanix.md index ef6a472babded..ded6defc6977f 100644 --- a/contrib/pg_tde/documentation/docs/global-key-provider-configuration/kmip-fortanix.md +++ b/contrib/pg_tde/documentation/docs/global-key-provider-configuration/kmip-fortanix.md @@ -4,7 +4,7 @@ ## Recommended Configuration Steps -1. To setup (https://support.fortanix.com/docs/using-fortanix-data-security-manager-for-percona-mysql-encryption-at-rest) +1. To setup [see the following documentation](https://support.fortanix.com/docs/using-fortanix-data-security-manager-for-percona-mysql-encryption-at-rest). 2. Generate or obtain a client certificate and private key from Fortanix DSM. 3. Ensure you store the certificates securely and enable them for PostgreSQL. From c7bee3e6b21d044d3c17dce2abc8c7e232643c9a Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Tue, 3 Jun 2025 10:47:00 +0300 Subject: [PATCH 4/7] improved config steps improved steps, still would like each step to be more descriptive though --- .../global-key-provider-configuration/kmip-fortanix.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/contrib/pg_tde/documentation/docs/global-key-provider-configuration/kmip-fortanix.md b/contrib/pg_tde/documentation/docs/global-key-provider-configuration/kmip-fortanix.md index ded6defc6977f..f5268e9bd6221 100644 --- a/contrib/pg_tde/documentation/docs/global-key-provider-configuration/kmip-fortanix.md +++ b/contrib/pg_tde/documentation/docs/global-key-provider-configuration/kmip-fortanix.md @@ -4,9 +4,10 @@ ## Recommended Configuration Steps -1. To setup [see the following documentation](https://support.fortanix.com/docs/using-fortanix-data-security-manager-for-percona-mysql-encryption-at-rest). -2. Generate or obtain a client certificate and private key from Fortanix DSM. -3. Ensure you store the certificates securely and enable them for PostgreSQL. +1. Obtain a client certificate, private key, and CA certificate from Fortanix DSM. +2. Ensure you store the certificates securely. +3. Register Fortanix DSM with `pg_tde`, see [the following example](#example-configuration-sql). +4. Enable `pg_tde` and restart PostgreSQL, see [the following topic](../setup.md#configure-pg_tde). ## Example Configuration SQL From b4ab0ca326ca4771c88570983631be52f288175a Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Thu, 5 Jun 2025 12:09:10 +0300 Subject: [PATCH 5/7] Update kmip-fortanix.md removed recommended config steps and I pointed the user to the Adding or modifying KMIP providers topic for examples of config files --- .../kmip-fortanix.md | 18 +----------------- 1 file changed, 1 insertion(+), 17 deletions(-) diff --git a/contrib/pg_tde/documentation/docs/global-key-provider-configuration/kmip-fortanix.md b/contrib/pg_tde/documentation/docs/global-key-provider-configuration/kmip-fortanix.md index f5268e9bd6221..2aef00ee4a6e1 100644 --- a/contrib/pg_tde/documentation/docs/global-key-provider-configuration/kmip-fortanix.md +++ b/contrib/pg_tde/documentation/docs/global-key-provider-configuration/kmip-fortanix.md @@ -2,26 +2,10 @@ `pg_tde` is compatible with Fortanix Data Security Manager (DSM) via the KMIP protocol. For a full setup guide, see [the Fortanix KMIP documentation here](https://support.fortanix.com/docs/users-guide-account-client-configurations?highlight=KMIP#23-kmip-clients). -## Recommended Configuration Steps - -1. Obtain a client certificate, private key, and CA certificate from Fortanix DSM. -2. Ensure you store the certificates securely. -3. Register Fortanix DSM with `pg_tde`, see [the following example](#example-configuration-sql). -4. Enable `pg_tde` and restart PostgreSQL, see [the following topic](../setup.md#configure-pg_tde). +For more information on adding or modifying the provider, see the [Adding or modifying KMIP providers](https://docs.percona.com/pg-tde/functions.html?h=pg_tde_add_global_key_provider_kmip#adding-or-modifying-kmip-providers) topic. ## Example Configuration SQL -```sql -SELECT pg_tde_add_global_key_provider_kmip( - 'fortanix_kms_provider', - 'your-region.kms.fortanix.com', -- Replace with your actual Fortanix DSM endpoint - 5696, - '/path/to/fortanix-client-cert.pem', - '/path/to/fortanix-client-key.pem', - '/path/to/fortanix-ca-cert.pem' -); -``` - !!! note Replace 'your-region.kms.fortanix.com' with the actual KMIP endpoint for your Fortanix DSM instance. Fortanix uses region-specific or tenant-specific KMIP domains (e.g., eu.kms.fortanix.com, us.kms.fortanix.com). From 20bbed17e47c2aaf9a0896ae50bd97a3ce9a2456 Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Thu, 5 Jun 2025 12:10:30 +0300 Subject: [PATCH 6/7] Update kmip-fortanix.md removed example config title --- .../docs/global-key-provider-configuration/kmip-fortanix.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/contrib/pg_tde/documentation/docs/global-key-provider-configuration/kmip-fortanix.md b/contrib/pg_tde/documentation/docs/global-key-provider-configuration/kmip-fortanix.md index 2aef00ee4a6e1..2520d81155a49 100644 --- a/contrib/pg_tde/documentation/docs/global-key-provider-configuration/kmip-fortanix.md +++ b/contrib/pg_tde/documentation/docs/global-key-provider-configuration/kmip-fortanix.md @@ -4,8 +4,6 @@ For more information on adding or modifying the provider, see the [Adding or modifying KMIP providers](https://docs.percona.com/pg-tde/functions.html?h=pg_tde_add_global_key_provider_kmip#adding-or-modifying-kmip-providers) topic. -## Example Configuration SQL - !!! note Replace 'your-region.kms.fortanix.com' with the actual KMIP endpoint for your Fortanix DSM instance. Fortanix uses region-specific or tenant-specific KMIP domains (e.g., eu.kms.fortanix.com, us.kms.fortanix.com). From c483b935ff8d279e6045bebdd9ec3a8ab8a02d09 Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Fri, 6 Jun 2025 11:14:47 +0300 Subject: [PATCH 7/7] Update kmip-fortanix.md removed out of date notes, not needed as we don't explain config --- .../global-key-provider-configuration/kmip-fortanix.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/contrib/pg_tde/documentation/docs/global-key-provider-configuration/kmip-fortanix.md b/contrib/pg_tde/documentation/docs/global-key-provider-configuration/kmip-fortanix.md index 2520d81155a49..edc09daf51af8 100644 --- a/contrib/pg_tde/documentation/docs/global-key-provider-configuration/kmip-fortanix.md +++ b/contrib/pg_tde/documentation/docs/global-key-provider-configuration/kmip-fortanix.md @@ -3,11 +3,3 @@ `pg_tde` is compatible with Fortanix Data Security Manager (DSM) via the KMIP protocol. For a full setup guide, see [the Fortanix KMIP documentation here](https://support.fortanix.com/docs/users-guide-account-client-configurations?highlight=KMIP#23-kmip-clients). For more information on adding or modifying the provider, see the [Adding or modifying KMIP providers](https://docs.percona.com/pg-tde/functions.html?h=pg_tde_add_global_key_provider_kmip#adding-or-modifying-kmip-providers) topic. - -!!! note - Replace 'your-region.kms.fortanix.com' with the actual KMIP endpoint for your Fortanix DSM instance. - Fortanix uses region-specific or tenant-specific KMIP domains (e.g., eu.kms.fortanix.com, us.kms.fortanix.com). - Refer to your DSM dashboard or administrator to confirm the correct value. - -!!! note - Replace the above paths with the actual certificate locations on your PostgreSQL host.