Skip to content

Create enforcement.md - Encryption Enforcement topic #403

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 21 commits into
base: release-17.5.2
Choose a base branch
from
Open

Create enforcement.md - Encryption Enforcement topic #403

wants to merge 21 commits into from

Conversation

Andriciuc
Copy link
Collaborator

Writing a general topic regarding Encrpytion Enforcement from pg_tde perspective, requires heavy review.

@Andriciuc
initial encryption enforcement doc
edbf109 
populated with encryption enforcement
@Andriciuc Andriciuc self-assigned this Jun 9, 2025
@Andriciuc Andriciuc added the documentation Improvements or additions to documentation label Jun 9, 2025
@nastena1606 nastena1606 temporarily deployed to docs-create-enforcement - INTERNAL-pg_tde docs PR #403 June 9, 2025 12:33 — with Render Destroyed
Andriciuc added 2 commits June 9, 2025 16:55
@Andriciuc
Update enforcement.md
4ceee41 
updated with future steps to enforce encrypt
@Andriciuc
Merge branch 'docs-create-enforcement' of https://github.com/percona/…
127cffa 
…postgres into docs-create-enforcement
@codecov-commenter
Copy link

codecov-commenter commented Jun 9, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Please upload report for BASE (release-17.5.2@f631496). Learn more about missing BASE report.

Additional details and impacted files 
@@                Coverage Diff                @@
##             release-17.5.2     #403   +/-   ##
=================================================
  Coverage                  ?   84.67%           
=================================================
  Files                     ?       21           
  Lines                     ?     2590           
  Branches                  ?      401           
=================================================
  Hits                      ?     2193           
  Misses                    ?      316           
  Partials                  ?       81
Components Coverage Δ
access 81.11% <0.00%> (?)
catalog 88.22% <0.00%> (?)
common 77.77% <0.00%> (?)
encryption 73.45% <0.00%> (?)
keyring 72.88% <0.00%> (?)
src 91.48% <0.00%> (?)
smgr 94.85% <0.00%> (?)
transam ∅ <0.00%> (?)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

dutow
dutow requested changes Jun 10, 2025
View reviewed changes
@Andriciuc
Update enforcement.md
dcb6259 
removed table space encryption
@Andriciuc
Update enforcement.md
cbdf83e 
updated the enforce_encryption description
@Andriciuc Andriciuc changed the title Create Encryption Enforcement topic Create enforcement.md - Encryption Enforcement topic Jun 10, 2025
@Andriciuc
Update enforcement.md
6d27b14 
added a note that clarifies unauthorized user access and how superusers can still bypass the forced encryption table creation
dutow
dutow reviewed Jun 11, 2025
View reviewed changes
Copy link
Collaborator

@dutow dutow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now my generic problem with this PR is that this new page doesn't provide any additional information compared to the GUC page. In fact, it provides less, as the GUC page at least explains to an extent what are the different allowed scopes of the variable.

Jan asked for scenarios to be documented, I guess he meant things like:

  • Specific example how to enforce encryption to the entire server
  • Specific example how to enforce encryption to only a single database with ALTER DATABASE SET
  • Example that superusers can override the variable at session level, so that they can create non encrypted tables in that session (the usecase I described on slack)
  • Maybe also an example of enforcing encryption to a specific user with ALTER USER

Which is basically adding actual examples to the "Use the following techniques..." section

@Andriciuc
Update enforcement.md
04f6276 
small update to the note describing superuser actions properly
@Andriciuc Andriciuc changed the base branch from TDE_REL_17_STABLE to release-17.5.2 June 16, 2025 11:43
Andriciuc and others added 2 commits June 18, 2025 10:31
@Andriciuc
Merge branch 'release-17.5.2' into docs-create-enforcement
1cb64f1
@Andriciuc
Updated enforcement with examples and variables with link
bd5f2ce 
Added a couple of simple examples to encryption enforcement for user, database and global enforcement using enforce_encryption

Added What does enforcement do (for new users)

Added that you can override enforcement with details possible by superusers only

Updated variables with minor linting and added a link to encryption enforcement for pg_tde.enforce_encryption
@Andriciuc
Copy link
Collaborator Author

Added a couple of simple examples to encryption enforcement for user, database and global enforcement using enforce_encryption

Added What does enforcement do (for new users)

Added that you can override enforcement with details possible by superusers only

Updated variables with minor linting and added a link to encryption enforcement for pg_tde.enforce_encryption

@Andriciuc Andriciuc marked this pull request as ready for review June 18, 2025 09:11
@Andriciuc Andriciuc requested a review from nastena1606 as a code owner June 18, 2025 09:11
@Andriciuc Andriciuc requested a review from dutow June 18, 2025 09:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nastena1606 nastena1606 Awaiting requested review from nastena1606 nastena1606 is a code owner

@dutow dutow Awaiting requested review from dutow

Requested changes must be addressed to merge this pull request.

Assignees

@Andriciuc Andriciuc

Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Andriciuc @codecov-commenter @dutow @nastena1606