Disabling the key wrapping

Suggest edits

If you don't want key wrapping, for example, for testing purposes, you can use either of the following options to disable key wrapping:

You can set the wrap and unwrap commands to the special value - when initializing the cluster with initdb. For example, you can use the flags --key-wrap-command=- and --key-unwrap-command=-.
You can disable key wrapping when initializing the cluster with initdb by adding the flag --no-key-wrap.

With either of the configurations, TDE generates encryption key files but leaves them unprotected.

For intidb --data-encryption to run successfully, you have to either specify a wrapping/unwrapping command, set a fallback environment variable with wrapping/unwrapping commands, or disable key wrapping with one of the previous mechanisms. Otherwise, creating an encrypted database cluster will fail.

Note

If you want to enable key wrapping on TDE-enabled database clusters where key wrapping was previously disabled, see Enabling a mechanism to protect the data encryption key.

← Prev

Using a key store

↑ Up

Securing the data encryption key

Rotating the data encryption key

Disabling the key wrapping

Note

← Prev

↑ Up

Next →