-
Notifications
You must be signed in to change notification settings - Fork 32
/
pgsodium_getkey_gcp.sh
executable file
·40 lines (33 loc) · 1.27 KB
/
pgsodium_getkey_gcp.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#!/bin/bash
HERE=`pwd`
KEY=${KEY:-pgsodium}
KEYRING=${KEYRING:-pgsodium}
LOCATION=${LOCATION:-global}
ROOT_KEY_FILE=${ROOT_KEY_FILE:-$HERE/pgsodium_encrypted_root.key}
if [[ -f "$ROOT_KEY_FILE" ]]; then
gcloud kms decrypt \
--key $KEY \
--keyring $KEYRING \
--location $LOCATION \
--plaintext-file - \
--ciphertext-file $ROOT_KEY_FILE
else
>&2 cat <<EOF
No root key file found at $ROOT_KEY_FILE for pgsodium to load.
See
https://cloud.google.com/kms/docs/creating-keys#kms-create-key-ring-cli
to create a keyring and key. Then encrypt a secret 32 byte payload
with that key and save it to $ROOT_KEY_FILE. For example, create a
new keyring and key:
gcloud kms keyrings create pgsodium --location global
gcloud kms keys create pgsodium --keyring pgsodium --location global --purpose "encryption"
Then encrypt a strong random key generated with pwgen into $ROOT_KEY_FILE:
pwgen 64 -s -1 -A -r ghijklmnopqrstuvwxyz | gcloud kms encrypt \\
--key pgsodium \\
--keyring pgsodium \\
--location global \\
--plaintext-file - --ciphertext-file $ROOT_KEY_FILE
Now restart postgres to initialize pgsodium with the new key.
EOF
exit 1
fi