Docker PostgreSQL data encryption at rest

Question

According to the manual, PostgreSQL supports 'Data Partition Encryption' in order to store the data encrypted at rest on the system.

For my next application I want to containerize PostgreSQL using Docker. Unfortunately I have not found any option, to encrypt the database files within this Docker container to protect the data. I thought about something like entering a password when the container is starting to decrypt all the needed files at runtime.

Has anyone experience with this?

Answer 1

You can try to use pgcrypto. The pgcrypto module provides cryptographic functions for PostgreSQL. It relies on SSL encryption, so you need to configure SSL for your database. To manage the encryption keys, you can use a Key Management System. You may have to write a script to encrypt your existing data. You can also look at other options such as Disk Encryption or Filesystem encryption depending on your use case.

Answer 2

"Data Partition Encryption" means that you are off-loading the encryption to the OS, and would provide the key at the time of mounting the disk partition that the data directory is read from.

In the context of docker, you would generally achieve this by encrypting the partition that you either:

• bind mount the data directory from
• store docker volumes in

Eg: by default docker volumes are stored in /var/lib/docker/volume on Linux - therefore if that directory is on a partition that is encrypted using LUKS or similar then you have already implemented your goal.

In general I'd recommend always using full disk encryption for local machines, and taking advantage of similar features on cloud platforms like AWS.