From a8829b543ea085e0b5c389e59bfd2541326e75e3 Mon Sep 17 00:00:00 2001 From: Andreas Karlsson Date: Mon, 11 Aug 2025 18:01:10 +0200 Subject: [PATCH 01/13] PG-1832 Document pg_tde's archive and restore commands Initial quick documentation for the two new CLI commands. We want to improve this futuer in the future plus add a proper guide for how to set up a complete solution. --- .../docs/command-line-tools/cli-tools.md | 15 ++++++++---- .../pg-tde-archive-decrypt.md | 23 +++++++++++++++++++ .../pg-tde-restore-encrypt.md | 21 +++++++++++++++++ contrib/pg_tde/documentation/mkdocs.yml | 4 +++- 4 files changed, 58 insertions(+), 5 deletions(-) create mode 100644 contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-archive-decrypt.md create mode 100644 contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-restore-encrypt.md diff --git a/contrib/pg_tde/documentation/docs/command-line-tools/cli-tools.md b/contrib/pg_tde/documentation/docs/command-line-tools/cli-tools.md index e0edeb4b5de32..7dba5ed41625d 100644 --- a/contrib/pg_tde/documentation/docs/command-line-tools/cli-tools.md +++ b/contrib/pg_tde/documentation/docs/command-line-tools/cli-tools.md @@ -1,7 +1,14 @@ # Overview of pg_tde CLI tools -The `pg_tde` extension introduces new command-line utilities and extends some existing PostgreSQL tools to support encrypted WAL and tables. These include: +The `pg_tde` extension introduces new command-line utilities and extends some existing PostgreSQL tools to support encrypted WAL and tables. -* [pg_tde_change_key_provider](../command-line-tools/pg-tde-change-key-provider.md): change encryption key provider for a database -* [pg_waldump](../command-line-tools/pg-waldump.md): inspect and decrypt WAL files -* [pg_checksums](../command-line-tools/pg-tde-checksums.md): verify data checksums (non-encrypted files only) +## New tools + +* [pg_tde_change_key_provider](./pg-tde-change-key-provider.md): change encryption key provider for a database +* [pg_tde_archive_decrypt](./pg-tde-archive-decrypt.md): custom archive command for archiving plaintext WAL +* [pg_tde_restore_encrypt](./pg-tde-restore-encrypt.md): custome restore command for making sure restored WAL is encrypted + +## Extended tools + +* [pg_checksums](./pg-tde-checksums.md): verify data checksums (non-encrypted files only) +* [pg_waldump](./pg-waldump.md): inspect and decrypt WAL files diff --git a/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-archive-decrypt.md b/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-archive-decrypt.md new file mode 100644 index 0000000000000..bd26deb63db4b --- /dev/null +++ b/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-archive-decrypt.md @@ -0,0 +1,23 @@ +# pg_tde_archive_decrypt + +Helper command to archive WAL segments in uncrypted form. This is necessary since the WAL encryption keys in the two-key hierarchy (see [Architecture](../architecture/architcture.md)) are specific to the host which generated them and may not be available at the machine which will replay the WAL. + +The command wraps your normal archive command and creates a temporary file on a RAM disk, `/dev/shm`, which is then fed as input to your archive command. + +This command is often use in conjunction with [pg_tde_restore_encrypt](./pg-tde-restore-encrypt.md). + +To use this safely make sure to encrypt the files stored in your WAL archive which is supported by e.g. PgBackRest. + +## Examples + +Simple example using `cp`: + +```ini +archive_command = '/lib/postgresql/17/bin/pg_tde_archive_decrypt %p cp %p /archive/%f' +``` + +With PgBackRest: + +```ini +archive_command = '/lib/postgresql/17/bin/pg_tde_archive_decrypt %p pgbackrest --stanza=tde archive-push %p' +``` diff --git a/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-restore-encrypt.md b/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-restore-encrypt.md new file mode 100644 index 0000000000000..9300d8ca795b7 --- /dev/null +++ b/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-restore-encrypt.md @@ -0,0 +1,21 @@ +# pg_tde_restore_encrypt + +Helper command to take unecrypted segments from the WAL archive and write them to disk in a format which `pg_tde` understands. + +The command wraps your normal restore command and has it write the file from the archive to a temporary file on a RAM disk, `/dev/shm` before copying it into PostgreSQL's data directory. + +This command is often use in conjunction with [pg_tde_archive_decrypt](./pg-tde-archive-decrypt.md). + +## Examples + +Simple example using `cp`: + +```ini +restore_command = '/lib/postgresql/17/bin/pg_tde_restore_enrypt %f %p cp /archive/%f %p' +``` + +With PgBackRest add something like the following to `/etc/pgbackrest.conf` or to the command line: + +```ini +recovery-option=restore_command=/lib/postgresql/17/bin/pg_tde_restore_encrypt %f %p pgbackrest --stanza=demo archive-get %f "%p" +``` diff --git a/contrib/pg_tde/documentation/mkdocs.yml b/contrib/pg_tde/documentation/mkdocs.yml index 43725bb5de5e6..bca17fb3742ad 100644 --- a/contrib/pg_tde/documentation/mkdocs.yml +++ b/contrib/pg_tde/documentation/mkdocs.yml @@ -196,8 +196,10 @@ nav: - "pg_tde CLI Tools": - "Overview": command-line-tools/cli-tools.md - "pg_tde_change_key_provider": command-line-tools/pg-tde-change-key-provider.md - - "pg_waldump": command-line-tools/pg-waldump.md + - "pg_tde_archive_decrypt": command-line-tools/pg-tde-archive-decrypt.md + - "pg_tde_restore_encrypt": command-line-tools/pg-tde-restore-encrypt.md - "pg_checksums": command-line-tools/pg-tde-checksums.md + - "pg_waldump": command-line-tools/pg-waldump.md - "Uninstall pg_tde": how-to/uninstall.md - "Configure Multi-tenancy": how-to/multi-tenant-setup.md - "Encryption Enforcement": how-to/enforcement.md From 3e3c9f4d5c3d0c23589a57677a7c7e0e111a7e74 Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Wed, 13 Aug 2025 13:31:27 +0300 Subject: [PATCH 02/13] update pg-tde-archive-decrypt.md with new commands and clarity in text descriptions --- .../pg-tde-archive-decrypt.md | 48 +++++++++++++++---- 1 file changed, 40 insertions(+), 8 deletions(-) diff --git a/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-archive-decrypt.md b/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-archive-decrypt.md index bd26deb63db4b..6e062ff8eb238 100644 --- a/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-archive-decrypt.md +++ b/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-archive-decrypt.md @@ -1,23 +1,55 @@ # pg_tde_archive_decrypt -Helper command to archive WAL segments in uncrypted form. This is necessary since the WAL encryption keys in the two-key hierarchy (see [Architecture](../architecture/architcture.md)) are specific to the host which generated them and may not be available at the machine which will replay the WAL. +The `pg_tde_archive_decrypt` tool wraps an archive command and decrypts WAL files before archiving. It allows external tools to access unencrypted WAL data, which is required because WAL encryption keys in the two-key hierarchy are host-specific and may not be available on the replay host. -The command wraps your normal archive command and creates a temporary file on a RAM disk, `/dev/shm`, which is then fed as input to your archive command. +!!! tip -This command is often use in conjunction with [pg_tde_restore_encrypt](./pg-tde-restore-encrypt.md). + For more information on the encryption architecture and key hierarchy, see [Architecture](../architecture/architcture.md). -To use this safely make sure to encrypt the files stored in your WAL archive which is supported by e.g. PgBackRest. +This tool is often use in conjunction with [pg_tde_restore_encrypt](./pg-tde-restore-encrypt.md) to support WAL archive. + +## How it works + +* Decrypts the WAL segment to a temporary file on a RAM disk (/dev/shm) +* Replaces %p and %f placeholders with the path and name of the decrypted file +* Passes the result to the specified archive command + +!!! note + + To ensure security, encrypt the files stored in your WAL archive using tools like `PgBackRest`. + +## Usage + +```bash +pg_tde_archive_decrypt [OPTION] +pg_tde_archive_decrypt DEST-NAME SOURCE-PATH ARCHIVE-COMMAND +``` + +## Parameter descriptions + +* `DEST-NAME`: name of the WAL file to send to the archive +* `SOURCE-PATH`: path to the original encrypted WAL file +* `ARCHIVE-COMMAND`: archive command to wrap. `%p` and `%f` are replaced with the decrypted WAL file path and WAL file name, respectively. + +## Options + +* `-V, --version`: show version information, then exit +* `-?, --help`: show help information, then exit + +!!! note + + Any %f or %p parameter in `ARCHIVE-COMMAND` has to be escaped as `%%f` or `%%p` respectively if used as `archive_command` in `postgresql.conf`. ## Examples -Simple example using `cp`: +### Using `cp` ```ini -archive_command = '/lib/postgresql/17/bin/pg_tde_archive_decrypt %p cp %p /archive/%f' +archive_command='pg_tde_archive_decrypt %f %p "cp %%p /mnt/server/archivedir/%%f"' ``` -With PgBackRest: +### Using `PgBackRest` ```ini -archive_command = '/lib/postgresql/17/bin/pg_tde_archive_decrypt %p pgbackrest --stanza=tde archive-push %p' +archive_command='pg_tde_archive_decrypt %f %p "pgbackrest --stanza=your_stanza archive-push %%p"' ``` From f8b115f62742eeabd4f586e2584376842d83699e Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Wed, 13 Aug 2025 13:32:05 +0300 Subject: [PATCH 03/13] update cli-tools.md with paragraphs explainint New and extended tools --- .../documentation/docs/command-line-tools/cli-tools.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/contrib/pg_tde/documentation/docs/command-line-tools/cli-tools.md b/contrib/pg_tde/documentation/docs/command-line-tools/cli-tools.md index 7dba5ed41625d..9d1cff1cd2245 100644 --- a/contrib/pg_tde/documentation/docs/command-line-tools/cli-tools.md +++ b/contrib/pg_tde/documentation/docs/command-line-tools/cli-tools.md @@ -4,11 +4,15 @@ The `pg_tde` extension introduces new command-line utilities and extends some ex ## New tools -* [pg_tde_change_key_provider](./pg-tde-change-key-provider.md): change encryption key provider for a database -* [pg_tde_archive_decrypt](./pg-tde-archive-decrypt.md): custom archive command for archiving plaintext WAL -* [pg_tde_restore_encrypt](./pg-tde-restore-encrypt.md): custome restore command for making sure restored WAL is encrypted +These tools are introduced by `pg_tde` to support key rotation and WAL encryption workflows: + +* [pg_tde_change_key_provider](./pg-tde-change-key-provider.md): change the encryption key provider for a database +* [pg_tde_archive_decrypt](./pg-tde-archive-decrypt.md): a custom archive command for archiving plaintext WAL +* [pg_tde_restore_encrypt](./pg-tde-restore-encrypt.md): a custom restore command for making sure the restored WAL is encrypted ## Extended tools +These existing PostgreSQL tools are enhanced to support `pg_tde`: + * [pg_checksums](./pg-tde-checksums.md): verify data checksums (non-encrypted files only) * [pg_waldump](./pg-waldump.md): inspect and decrypt WAL files From ee8a4704402efd9a487ffa90a983ed8c3d80d1cd Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Wed, 13 Aug 2025 13:32:39 +0300 Subject: [PATCH 04/13] replace Tools with tool in TOC for CLI tools --- contrib/pg_tde/documentation/mkdocs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/pg_tde/documentation/mkdocs.yml b/contrib/pg_tde/documentation/mkdocs.yml index bca17fb3742ad..39c1c4eec0330 100644 --- a/contrib/pg_tde/documentation/mkdocs.yml +++ b/contrib/pg_tde/documentation/mkdocs.yml @@ -193,7 +193,7 @@ nav: - "Functions": functions.md - "Streaming Replication with tde_heap": replication.md - "TDE operations": - - "pg_tde CLI Tools": + - "pg_tde CLI tools": - "Overview": command-line-tools/cli-tools.md - "pg_tde_change_key_provider": command-line-tools/pg-tde-change-key-provider.md - "pg_tde_archive_decrypt": command-line-tools/pg-tde-archive-decrypt.md From 6fe930537ca4ef4238e63538f4757f8250f94b48 Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Wed, 13 Aug 2025 14:59:48 +0300 Subject: [PATCH 05/13] change how it works bullets to numbers --- .../docs/command-line-tools/pg-tde-archive-decrypt.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-archive-decrypt.md b/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-archive-decrypt.md index 6e062ff8eb238..5e52b3aef9997 100644 --- a/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-archive-decrypt.md +++ b/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-archive-decrypt.md @@ -10,9 +10,9 @@ This tool is often use in conjunction with [pg_tde_restore_encrypt](./pg-tde-res ## How it works -* Decrypts the WAL segment to a temporary file on a RAM disk (/dev/shm) -* Replaces %p and %f placeholders with the path and name of the decrypted file -* Passes the result to the specified archive command +1. Decrypts the WAL segment to a temporary file on a RAM disk (/dev/shm) +2. Replaces %p and %f placeholders with the path and name of the decrypted file +3. Passes the result to the specified archive command !!! note From 342056860fcda929995d34d5dfc95037fc191d8d Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Wed, 13 Aug 2025 15:08:59 +0300 Subject: [PATCH 06/13] Update pg-tde-restore-encrypt tool with new information and better descriptions for clarity --- .../pg-tde-restore-encrypt.md | 42 +++++++++++++++---- 1 file changed, 35 insertions(+), 7 deletions(-) diff --git a/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-restore-encrypt.md b/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-restore-encrypt.md index 9300d8ca795b7..82e6dbb1994aa 100644 --- a/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-restore-encrypt.md +++ b/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-restore-encrypt.md @@ -1,21 +1,49 @@ # pg_tde_restore_encrypt -Helper command to take unecrypted segments from the WAL archive and write them to disk in a format which `pg_tde` understands. +The `pg_tde_restore_encrypt` tool wraps a normal restore command from the WAL archive and writes them to disk in a format compatible with `pg_tde`. -The command wraps your normal restore command and has it write the file from the archive to a temporary file on a RAM disk, `/dev/shm` before copying it into PostgreSQL's data directory. +!!! note -This command is often use in conjunction with [pg_tde_archive_decrypt](./pg-tde-archive-decrypt.md). + This command is often use together with [pg_tde_archive_decrypt](./pg-tde-archive-decrypt.md). + +## How it works + +1. Calls the configured restore command +2. The restore command writes the WAL file from the archive to a temporary RAM disk file (`/dev/shm`) +3. Copies that file to the PostgreSQL data directory + +## Usage + +```bash +pg_tde_restore_encrypt [OPTION] +pg_tde_restore_encrypt SOURCE-NAME DEST-PATH RESTORE-COMMAND +``` + +## Parameter descriptions + +* `SOURCE-NAME`: name of the WAL file to retrieve from the archive +* `DEST-PATH`: path where the encrypted WAL file should be written +* `RESTORE-COMMAND`: restore command to wrap; `%p` and `%f` are replaced with the WAL file name and path to write the unencrypted WAL, respectively + +## Options + +* `-V, --version`: show version information, then exit +* `-?, --help`: show help information, then exit + +!!! note + + Any `%f` or `%p` parameter in `RESTORE-COMMAND` has to be escaped as `%%f` or `%%p` respectively if used as `restore_command` in `postgresql.conf`. ## Examples -Simple example using `cp`: +### Using `cp` ```ini -restore_command = '/lib/postgresql/17/bin/pg_tde_restore_enrypt %f %p cp /archive/%f %p' +restore_command='pg_tde_restore_encrypt %f %p "cp /mnt/server/archivedir/%%f %%p"' ``` -With PgBackRest add something like the following to `/etc/pgbackrest.conf` or to the command line: +### Using `PgBackRest` ```ini -recovery-option=restore_command=/lib/postgresql/17/bin/pg_tde_restore_encrypt %f %p pgbackrest --stanza=demo archive-get %f "%p" +restore_command='pg_tde_restore_encrypt %f %p "pgbackrest --stanza=your_stanza archive-get %%f \"%%p\""' ``` From 36d55950f5bd6586c05a721df016b861d4729553 Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Wed, 13 Aug 2025 15:10:27 +0300 Subject: [PATCH 07/13] add missing `` to several params --- .../docs/command-line-tools/pg-tde-archive-decrypt.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-archive-decrypt.md b/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-archive-decrypt.md index 5e52b3aef9997..3ba61df89d21e 100644 --- a/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-archive-decrypt.md +++ b/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-archive-decrypt.md @@ -10,8 +10,8 @@ This tool is often use in conjunction with [pg_tde_restore_encrypt](./pg-tde-res ## How it works -1. Decrypts the WAL segment to a temporary file on a RAM disk (/dev/shm) -2. Replaces %p and %f placeholders with the path and name of the decrypted file +1. Decrypts the WAL segment to a temporary file on a RAM disk (`/dev/shm`) +2. Replaces `%p` and `%f` placeholders with the path and name of the decrypted file 3. Passes the result to the specified archive command !!! note @@ -38,7 +38,7 @@ pg_tde_archive_decrypt DEST-NAME SOURCE-PATH ARCHIVE-COMMAND !!! note - Any %f or %p parameter in `ARCHIVE-COMMAND` has to be escaped as `%%f` or `%%p` respectively if used as `archive_command` in `postgresql.conf`. + Any `%f` or `%p` parameter in `ARCHIVE-COMMAND` has to be escaped as `%%f` or `%%p` respectively if used as `archive_command` in `postgresql.conf`. ## Examples From 16b8d3c1782258083985d6622816370f0a62a8cf Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Wed, 13 Aug 2025 15:19:23 +0300 Subject: [PATCH 08/13] updated how it works with better described text --- .../docs/command-line-tools/pg-tde-archive-decrypt.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-archive-decrypt.md b/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-archive-decrypt.md index 3ba61df89d21e..92c3d77cf5cc6 100644 --- a/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-archive-decrypt.md +++ b/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-archive-decrypt.md @@ -11,8 +11,8 @@ This tool is often use in conjunction with [pg_tde_restore_encrypt](./pg-tde-res ## How it works 1. Decrypts the WAL segment to a temporary file on a RAM disk (`/dev/shm`) -2. Replaces `%p` and `%f` placeholders with the path and name of the decrypted file -3. Passes the result to the specified archive command +2. Replaces `%p` and `%f` in the archive command with the path and name of the decrypted file +3. Executes the archive command !!! note From 948c8f1544acc44d90ee3422270e6c8ff385b95a Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Wed, 13 Aug 2025 15:25:04 +0300 Subject: [PATCH 09/13] update text in how it works for restore-encrypt --- .../docs/command-line-tools/pg-tde-restore-encrypt.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-restore-encrypt.md b/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-restore-encrypt.md index 82e6dbb1994aa..338546cf25965 100644 --- a/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-restore-encrypt.md +++ b/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-restore-encrypt.md @@ -8,9 +8,9 @@ The `pg_tde_restore_encrypt` tool wraps a normal restore command from the WAL ar ## How it works -1. Calls the configured restore command -2. The restore command writes the WAL file from the archive to a temporary RAM disk file (`/dev/shm`) -3. Copies that file to the PostgreSQL data directory +1. Replaces `%f` and `%p` in the restore command with the WAL file name and temporary file path (in `/dev/shm`) +2. Runs the restore command to fetch the unencrypted WAL from the archive and write it to the temp file +3. Encrypts the temp file and writes the result to the final destination path in PostgreSQL’s data directory ## Usage From ded01009a50a5981a9b0e9eb90e7028cc49b12f3 Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Wed, 13 Aug 2025 15:36:32 +0300 Subject: [PATCH 10/13] minor text fix for restore-encrypt how it works --- .../docs/command-line-tools/pg-tde-restore-encrypt.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-restore-encrypt.md b/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-restore-encrypt.md index 338546cf25965..7435de2d0b761 100644 --- a/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-restore-encrypt.md +++ b/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-restore-encrypt.md @@ -10,7 +10,7 @@ The `pg_tde_restore_encrypt` tool wraps a normal restore command from the WAL ar 1. Replaces `%f` and `%p` in the restore command with the WAL file name and temporary file path (in `/dev/shm`) 2. Runs the restore command to fetch the unencrypted WAL from the archive and write it to the temp file -3. Encrypts the temp file and writes the result to the final destination path in PostgreSQL’s data directory +3. Encrypts the temp file and writes it to the destination path in PostgreSQL’s data directory ## Usage From 0d0493038fe704ef76f3d2da63a78a5606972d9d Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Wed, 13 Aug 2025 16:19:47 +0300 Subject: [PATCH 11/13] updated archive-decrypt tool description for clarity --- .../pg_tde/documentation/docs/command-line-tools/cli-tools.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/pg_tde/documentation/docs/command-line-tools/cli-tools.md b/contrib/pg_tde/documentation/docs/command-line-tools/cli-tools.md index 9d1cff1cd2245..aac0c8d2f0680 100644 --- a/contrib/pg_tde/documentation/docs/command-line-tools/cli-tools.md +++ b/contrib/pg_tde/documentation/docs/command-line-tools/cli-tools.md @@ -7,7 +7,7 @@ The `pg_tde` extension introduces new command-line utilities and extends some ex These tools are introduced by `pg_tde` to support key rotation and WAL encryption workflows: * [pg_tde_change_key_provider](./pg-tde-change-key-provider.md): change the encryption key provider for a database -* [pg_tde_archive_decrypt](./pg-tde-archive-decrypt.md): a custom archive command for archiving plaintext WAL +* [pg_tde_archive_decrypt](./pg-tde-archive-decrypt.md): decrypts WAL before archiving * [pg_tde_restore_encrypt](./pg-tde-restore-encrypt.md): a custom restore command for making sure the restored WAL is encrypted ## Extended tools From b3b7e89b1fcf7c8808c9a7d634bfeaed7efecace Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Wed, 20 Aug 2025 10:58:39 +0300 Subject: [PATCH 12/13] Update the Features topic buttons for better clarity (#508) --- contrib/pg_tde/documentation/docs/features.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/contrib/pg_tde/documentation/docs/features.md b/contrib/pg_tde/documentation/docs/features.md index aa8703fc42bca..3f51c25aceaac 100644 --- a/contrib/pg_tde/documentation/docs/features.md +++ b/contrib/pg_tde/documentation/docs/features.md @@ -19,4 +19,8 @@ The following features are available for the extension: * Table-level granularity for encryption and access control * Multiple [Key management options](global-key-provider-configuration/index.md) -[Learn more about TDE and pg_tde :material-arrow-right:](index/about-tde.md){.md-button} [Get started with installation :material-arrow-right:](install.md){.md-button} +## Next steps + +Learn more about how `pg_tde` implements Transparent Data Encryption: + +[About Transparent Data Encryption :material-arrow-right:](index/about-tde.md){.md-button} From a6680d8257734fb19bbfb5e8ddb2ef5174dea1e9 Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Wed, 20 Aug 2025 11:01:32 +0300 Subject: [PATCH 13/13] fix a word --- .../docs/command-line-tools/pg-tde-archive-decrypt.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-archive-decrypt.md b/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-archive-decrypt.md index 92c3d77cf5cc6..0b63ab5212dcf 100644 --- a/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-archive-decrypt.md +++ b/contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-archive-decrypt.md @@ -6,7 +6,7 @@ The `pg_tde_archive_decrypt` tool wraps an archive command and decrypts WAL file For more information on the encryption architecture and key hierarchy, see [Architecture](../architecture/architcture.md). -This tool is often use in conjunction with [pg_tde_restore_encrypt](./pg-tde-restore-encrypt.md) to support WAL archive. +This tool is often used in conjunction with [pg_tde_restore_encrypt](./pg-tde-restore-encrypt.md) to support WAL archive. ## How it works