mirrors/postgres
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fixes docs and missing initdb help option for commit 978f869b99

Browse Source 
Reported-by: Erik Rijkers

Discussion: https://postgr.es/m/a27e7bb60fc4c4a1fe960f7b055ba822@xs4all.nl

Backpatch-through: master
This commit is contained in:
Bruce Momjian 2020-12-25 14:00:12 -05:00
parent 08db7c63f3
commit 26d60f2a6c
2 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
doc/src/sgml/database-encryption.sgml
View File

@ -13,7 +13,7 @@
log from being able to access the data stored in those files. log from being able to access the data stored in those files.
For example, when using cluster file encryption, users who have read For example, when using cluster file encryption, users who have read
access to the cluster directories for backup purposes will not be able access to the cluster directories for backup purposes will not be able
to decrypt the data stored in the these files. to decrypt the data stored in these files.
</para> </para>
<para> <para>
@ -24,7 +24,7 @@
Key one is used to encrypt write-ahead log (WAL) files. Two different Key one is used to encrypt write-ahead log (WAL) files. Two different
keys are used so that primary and standby servers can use different zero keys are used so that primary and standby servers can use different zero
(heap/index/temp) keys, but the same one (WAL) key, so that these keys (heap/index/temp) keys, but the same one (WAL) key, so that these keys
can eventually be rotated by switching the primary to the standby as can eventually be rotated by switching the primary to the standby
and then changing the WAL key. and then changing the WAL key.
</para> </para>
@ -68,7 +68,7 @@ initdb -D dbname --cluster-key-command='ckey_passphrase.sh'
During the <command>initdb</command> process, if During the <command>initdb</command> process, if
<option>--cluster-key-command</option> is specified, two data-level <option>--cluster-key-command</option> is specified, two data-level
encryption keys are created. These two keys are then encrypted with encryption keys are created. These two keys are then encrypted with
the key enryption key (KEK) supplied by the cluster key command before the key encryption key (KEK) supplied by the cluster key command before
being stored in the database directory. The key or passphrase that being stored in the database directory. The key or passphrase that
derives the key must be supplied from the terminal or stored in a derives the key must be supplied from the terminal or stored in a
trusted key store, such as key vault software, hardware security module. trusted key store, such as key vault software, hardware security module.
@ -87,7 +87,7 @@ initdb -D dbname --cluster-key-command='ckey_passphrase.sh'
</para> </para>
<para> <para>
The data encryption keys are randomly generated and are of 128, 192, The data encryption keys are randomly generated and are 128, 192,
or 256-bits in length. They are encrypted by the key encryption key or 256-bits in length. They are encrypted by the key encryption key
(KEK) using Advanced Encryption Standard (<acronym>AES256</acronym>) (KEK) using Advanced Encryption Standard (<acronym>AES256</acronym>)
encryption in Galois/Counter Mode (<acronym>GCM</acronym>), which also encryption in Galois/Counter Mode (<acronym>GCM</acronym>), which also

2
src/bin/initdb/initdb.c
View File

@ -2326,6 +2326,8 @@ usage(const char *progname)
printf(_(" -R, --authprompt prompt for a passphrase or PIN\n")); printf(_(" -R, --authprompt prompt for a passphrase or PIN\n"));
printf(_(" -s, --show show internal settings\n")); printf(_(" -s, --show show internal settings\n"));
printf(_(" -S, --sync-only only sync data directory\n")); printf(_(" -S, --sync-only only sync data directory\n"));
printf(_(" -u, --copy-encryption-keys=DATADIR\n"
" copy the file encryption key from another cluster\n"));
printf(_("\nOther options:\n")); printf(_("\nOther options:\n"));
printf(_(" -V, --version output version information, then exit\n")); printf(_(" -V, --version output version information, then exit\n"));
printf(_(" -?, --help show this help, then exit\n")); printf(_(" -?, --help show this help, then exit\n"));