Skip to content

Create enforcement.md - Encryption Enforcement topic #403

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 19 commits into
base: release-17.5.2
Choose a base branch
from
Draft

Create enforcement.md - Encryption Enforcement topic #403

wants to merge 19 commits into from

Conversation

Andriciuc
Copy link
Collaborator

Writing a general topic regarding Encrpytion Enforcement from pg_tde perspective, requires heavy review.

@Andriciuc
initial encryption enforcement doc
edbf109 
populated with encryption enforcement
@Andriciuc Andriciuc self-assigned this Jun 9, 2025
@Andriciuc Andriciuc added the documentation Improvements or additions to documentation label Jun 9, 2025
@nastena1606 nastena1606 temporarily deployed to docs-create-enforcement - INTERNAL-pg_tde docs PR #403 June 9, 2025 12:33 — with Render Destroyed
Andriciuc added 2 commits June 9, 2025 16:55
@Andriciuc
Update enforcement.md
4ceee41 
updated with future steps to enforce encrypt
@Andriciuc
Merge branch 'docs-create-enforcement' of https://github.com/percona/…
127cffa 
…postgres into docs-create-enforcement
@codecov-commenter
Copy link

codecov-commenter commented Jun 9, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 84.65%. Comparing base (5610639) to head (3cbbf9a).

❌ Your project status has failed because the head coverage (84.65%) is below the target coverage (90.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files 
@@                Coverage Diff                 @@
##           release-17.5.2     #403      +/-   ##
==================================================
- Coverage           84.66%   84.65%   -0.01%     
==================================================
  Files                  21       21              
  Lines                2589     2588       -1     
  Branches              402      401       -1     
==================================================
- Hits                 2192     2191       -1     
  Misses                316      316              
  Partials               81       81
Components Coverage Δ
access 81.11% <ø> (ø)
catalog 88.22% <ø> (ø)
common 77.77% <ø> (ø)
encryption 73.45% <ø> (ø)
keyring 72.88% <ø> (ø)
src 91.44% <ø> (ø)
smgr 94.85% <ø> (-0.03%) ⬇️
transam ∅ <ø> (∅)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

dutow
dutow requested changes Jun 10, 2025
View reviewed changes
@Andriciuc
Update enforcement.md
dcb6259 
removed table space encryption
@Andriciuc
Update enforcement.md
cbdf83e 
updated the enforce_encryption description
@Andriciuc Andriciuc changed the title Create Encryption Enforcement topic Create enforcement.md - Encryption Enforcement topic Jun 10, 2025
@Andriciuc
Update enforcement.md
6d27b14 
added a note that clarifies unauthorized user access and how superusers can still bypass the forced encryption table creation
dutow
dutow reviewed Jun 11, 2025
View reviewed changes
Copy link
Collaborator

@dutow dutow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now my generic problem with this PR is that this new page doesn't provide any additional information compared to the GUC page. In fact, it provides less, as the GUC page at least explains to an extent what are the different allowed scopes of the variable.

Jan asked for scenarios to be documented, I guess he meant things like:

  • Specific example how to enforce encryption to the entire server
  • Specific example how to enforce encryption to only a single database with ALTER DATABASE SET
  • Example that superusers can override the variable at session level, so that they can create non encrypted tables in that session (the usecase I described on slack)
  • Maybe also an example of enforcing encryption to a specific user with ALTER USER

Which is basically adding actual examples to the "Use the following techniques..." section

@Andriciuc
Update enforcement.md
04f6276 
small update to the note describing superuser actions properly
@Andriciuc Andriciuc changed the base branch from TDE_REL_17_STABLE to release-17.5.2 June 16, 2025 11:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dutow dutow dutow requested changes

@nastena1606 nastena1606 Awaiting requested review from nastena1606 nastena1606 will be requested when the pull request is marked ready for review nastena1606 is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

@Andriciuc Andriciuc

Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Andriciuc @codecov-commenter @dutow @nastena1606