OpenResty Edge™ database encryption

If you want to encrypt the database, we can put the data of PostgresSQL on the encrypted partition created by dm-crypt.

Note: The encryption will have an impact on the read and write performance of the database, according to the test results, the write performance of the database will drop about 20~30%, and the read performance will drop 5~10%.

The following operations are performed on the machine with openresty-postgresql12 installed.

Create an encrypted partition

Prepare a new hard drive, here we prepare a device named /dev/sdb. format the new drive using cryptsetup, you need to enter the password.

sudo cryptsetup luksFormat /dev/sdb

Mapping to /dev/mapper, mapping name is en_disk.

sudo cryptsetup luksOpen /dev/sdb en_disk

Initialize the mapped device.

sudo mkfs.ext4 /dev/mapper/en_disk

Migrate the database to the encrypted partition

Stop the PostgreSQL service.

Note: Edge Admin and Edge Log Server will not work during the database migration.

sudo systemctl stop openresty-postgresql12

Back up the PostgreSQL data directory.

sudo mv /var/postgres12/data /var/postgres12/data_backup

sudo chmod 777 /var/postgres12/data_backup

sudo mkdir -p /var/postgres12/data

Mount the encrypted partition to the original data directory.

sudo mount /dev/mapper/en_disk /var/postgres12/data

Copy the backup data to the encrypted partition.

sudo cp -R /var/postgres12/data_backup/* /var/postgres12/data

sudo chown -R postgres:postgres /var/postgres12/data

sudo chmod 700 /var/postgres12/data

After starting the PostgreSQL service, the database migration is complete.

sudo systemctl start openresty-postgresql12

After database migration, please check if Edge Admin and Edge Log Server are working properly.

Automatically mount encrypted partition after boot (optional)

If you need to mount the encrypted partition automatically after booting instead of doing it manually, you can configure it as follows.

Edit the /etc/fstab file and add the following at the end.

/dev/mapper/en_disk    /var/postgres12/data  ext4     defaults        0 0

Add the following to the /etc/crypttab file.

en_disk /dev/sdb /root/diskpass

Create the /root/diskpass file and write the password for the encrypted partition to the file.

sudo touch /root/diskpass

sudo chmod 600 /root/diskpass

echo "your password" | sudo tee /root/diskpass

Associate the encrypted device and password.

sudo cryptsetup luksAddKey /dev/sdb /root/diskpass