Disabling the key wrapping

Suggest edits

If you don't want key wrapping, for example, for testing purposes, you can use either one of the following options to disable key wrapping:

You can set the wrap and unwrap commands to the special value - when initializing the cluster with initdb. For example, with the flags --key-wrap-command=- and --key-unwrap-command=-.
Or you can disable key wrapping when initializing the cluster with initdb by adding the flag --no-key-wrap.

With either one of the configurations, TDE generates encryption key files, but leaves them unprotected.

For intidb --data-encryption to run successfully, you have to either specify a wrapping/unwrapping command, set a fallback environment variable with wrapping/unwrapping commands, or disable key wrapping with the one of the previous mechanisms. Otherwise, the creation of an encrypted database cluster will fail.

← Prev

Using a key store

↑ Up

Securing the data encryption key

Rotating the data encryption key

Disabling the key wrapping

← Prev

↑ Up

Next →