OpenResty Edge™ database encryption
If you want to encrypt the database, we can put the data of PostgresSQL on the encrypted partition created by dm-crypt.
Note: The encryption will have an impact on the read and write performance of the database, according to the test results, the write performance of the database will drop about 20~30%, and the read performance will drop 5~10%.
The following operations are performed on the machine with openresty-postgresql12 installed.
Create an encrypted partition
Prepare a new hard drive, here we prepare a device named /dev/sdb. format the new drive using cryptsetup, you need to enter the password.
sudo cryptsetup luksFormat /dev/sdb
Mapping to /dev/mapper, mapping name is
sudo cryptsetup luksOpen /dev/sdb en_disk
Initialize the mapped device.
sudo mkfs.ext4 /dev/mapper/en_disk
Migrate the database to the encrypted partition
Stop the PostgreSQL service.
Note: Edge Admin and Edge Log Server will not work during the database migration.
sudo systemctl stop openresty-postgresql12
Back up the PostgreSQL data directory.
sudo mv /var/postgres12/data /var/postgres12/data_backup
sudo chmod 777 /var/postgres12/data_backup
sudo mkdir -p /var/postgres12/data
Mount the encrypted partition to the original data directory.
sudo mount /dev/mapper/en_disk /var/postgres12/data
Copy the backup data to the encrypted partition.
sudo cp -R /var/postgres12/data_backup/* /var/postgres12/data
sudo chown -R postgres:postgres /var/postgres12/data
sudo chmod 700 /var/postgres12/data
After starting the PostgreSQL service, the database migration is complete.
sudo systemctl start openresty-postgresql12
After database migration, please check if Edge Admin and Edge Log Server are working properly.
Automatically mount encrypted partition after boot (optional)
If you need to mount the encrypted partition automatically after booting instead of doing it manually, you can configure it as follows.
/etc/fstab file and add the following at the end.
/dev/mapper/en_disk /var/postgres12/data ext4 defaults 0 0
Add the following to the
en_disk /dev/sdb /root/diskpass
/root/diskpass file and write the password for the encrypted partition to the file.
sudo touch /root/diskpass
sudo chmod 600 /root/diskpass
echo "your password" | sudo tee /root/diskpass
Associate the encrypted device and password.
sudo cryptsetup luksAddKey /dev/sdb /root/diskpass