why + problems i have with this<\/h2>\n\n\n\n
i had to implement TDE for MySQL, PostgreSQL; for databases that are already stored on fully encrypted drives. i feel that in my particular context TDE was an overkill – introducing unnecessary complication and risk, without giving any significant security benefits. <\/p>\n\n\n\n
TDE protects data in scenario where attacked has access to disk level data from given database server.<\/p>\n\n\n\n
TDE does not protect against scenarios in which attacker:<\/p>\n\n\n\n
- \n
- gains logical access to a running database server – then they can dump encryption keys from memory, or use local commands like pg_dump, mysqldump to extract decrypted data,<\/li>\n\n\n\n
- gets hold of valid database credentials and can access server over the network – then they can use database clients or dump tools to extract the sensitive data.<\/li>\n<\/ul>\n\n\n\n
nevertheless – i had to implement it anyway. <\/p>\n\n\n\n
architecture<\/h2>\n\n\n\n
![\"\"](\"https:\/\/kudzia.eu\/b\/wp-content\/uploads\/2026\/03\/kmip-client-server-1.png\")
<\/figure>\n\n\n\nMySQL or PostgreSQL with the pg_tde extension can act as KMIP clients and communicate with the KMS:<\/p>\n\n\n\n
- \n
- use two way TLS – authenticate, using locally available client certificate, client key files towards the KMS, at the same time ensure it’s the real KMS talking to us by checking response against certificate authority certificate file,<\/li>\n\n\n\n
- initially store, later retrieve the secret from KMS; use that secret to decrypt\/encrypt database files stored in the local file system,<\/li>\n\n\n\n
- periodically rotate keys – store a new secret in KMS<\/li>\n<\/ul>\n\n\n\n
Thales CipherTrust Manager – setting up access for KMIP client<\/h2>\n\n\n\n
disclaimer: based on instruction i’ve received from 3rd party company supplying the KMS service. i don’t know exact ‘whys’ behind those steps.<\/p>\n\n\n\n
for every server \/ service that will act as KMIP client do those steps:<\/p>\n\n\n\n
1. from the front page of the Thales CipherTrust Manager – go to access management<\/em> > users<\/em>, click + add user<\/em> and create a new account. provide:<\/p>\n\n\n\n
- \n
- username – i’ve used naming nameofserver-nameofservice<\/em> e.g. swedb5-mysql<\/em><\/li>\n\n\n\n
- complex password; in practice unused<\/li>\n\n\n\n
- un-tick all types of access – <\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/kudzia.eu\/b\/wp-content\/uploads\/2026\/03\/image.png\")
<\/figure>\n\n\n\n2. go to access management <\/em>> users<\/em>, find the newly created user, click on it and select group membership<\/em>, click add group<\/em> and add key users<\/em>.<\/p>\n\n\n\n
![\"\"](\"https:\/\/kudzia.eu\/b\/wp-content\/uploads\/2026\/03\/image-1.png\")
<\/figure>\n\n\n\n3. go to the root of the CipherTrust Manager <\/em>> KMIP<\/em>, client profile<\/em> and click add profile<\/em>. provide:<\/p>\n\n\n\n
- \n
- profile name<\/em> – i’ve used the same naming convention as in point 1, although this time its profile name and not user name<\/li>\n\n\n\n
- certificate duration <\/em>expressed in days; assign it to the desired KMIP certificate rotation frequency. let’s say 365 days, <\/li>\n\n\n\n
- certificate details<\/em> – common name<\/em> – this one is complex. i was told to use name in format {name-of-cmt-domain}|{name-of-cmt-domain}||name-of-profile<\/em>; for domain called c1234-kms567<\/em> and profile swedb5-mysql<\/em> – it’ll be c1234-kms567|c1234-kms567||swedb5-mysql<\/em><\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/kudzia.eu\/b\/wp-content\/uploads\/2026\/03\/image-2.png\")
<\/figure>\n\n\n\n4. go to CipherTrust Manager <\/em>> KMIP<\/em> > Registration token<\/em>, click new registration token <\/em>and click through the wizard:<\/p>\n\n\n\n
- \n
- name prefix – i got one from KMS provider c1234, <\/em>rest unchanged, select ca<\/li>\n\n\n\n
- select ca – in my case it was CA provided by the KMS supplier,<\/li>\n\n\n\n
- client profile – select one created in the step #3 above<\/li>\n\n\n\n
- click create token<\/em>, copy token to the clipboard<\/li>\n<\/ul>\n\n\n\n
5. go to the CipherTrust Manager <\/em>> KMIP<\/em> ><\/em> registered clients<\/em>, click add client<\/em> and provide:<\/p>\n\n\n\n
- \n
- name – same as user name in the step #1, for me swedb5-mysql<\/em><\/li>\n\n\n\n
- registration token – copied at the end of the step #4<\/li>\n\n\n\n
- click save<\/em>, fetch the certificate – client.crt<\/em>, private key – client.key<\/em>; we’ve got ca.crt<\/em> provided by the 3rd party selling us KMS service.<\/li>\n<\/ul>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
this is reminder, mostly for myself, how to issue certificates that later can be used with PostgreSQL, MySQL to access Key Management Service [KMS] via Key Management Interoperability Protocol [KMIP] to store & retrieve encryption keys used in Table Data Encryption [TDE]. whenever i refer to PostgreSQL or MySQL in this post – i actually […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[17],"tags":[138,139],"class_list":["post-3883","post","type-post","status-publish","format-standard","hentry","category-tech","tag-kmip","tag-kms"],"_links":{"self":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts\/3883","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/comments?post=3883"}],"version-history":[{"count":3,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts\/3883\/revisions"}],"predecessor-version":[{"id":3887,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts\/3883\/revisions\/3887"}],"wp:attachment":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/media?parent=3883"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/categories?post=3883"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/tags?post=3883"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- certificate duration <\/em>expressed in days; assign it to the desired KMIP certificate rotation frequency. let’s say 365 days, <\/li>\n\n\n\n
- username – i’ve used naming nameofserver-nameofservice<\/em> e.g. swedb5-mysql<\/em><\/li>\n\n\n\n