updated docker

Andriciuc · Andriciuc · commit a976b488f79c · 2025-06-03T16:53:03.000+03:00
updated with up to date information for pg_tde encryption parameters, also, cleaned the document a bit, added a paragraph recommending the user to see the pg_tde docs, added a note bolding the fact that we do not recommend using a local keyring file and we suggest using an external KMS.
diff --git a/docs/docker.md b/docs/docker.md
@@ -4,7 +4,7 @@ Docker images of Percona Distribution for PostgreSQL are hosted publicly on [Doc
 
 For more information about using Docker, see the [Docker Docs :octicons-link-external-16:](https://docs.docker.com/).
 
-!!! note ""
+!!! note
 
     Make sure that you are using [the latest version of Docker :octicons-link-external-16:](https://docs.docker.com/get-docker/). The ones provided via `apt` and `yum` may be outdated and cause errors.
 
@@ -35,16 +35,15 @@ For more information about using Docker, see the [Docker Docs :octicons-link-ext
 
     ```{.bash data-prompt="$"}
     $ docker run --name container-name -e POSTGRES_PASSWORD=secret -d percona/percona-distribution-postgresql:{{dockertag}}
-    ```    
+    ```
 
-    Where:    
+    Where:
 
     * `container-name` is the name you assign to your container
     * `POSTGRES_PASSWORD` is the superuser password 
-    * `{{dockertag}}` is the tag specifying the version you need. Docker identifies the architecture (x86_64 or ARM64) and pulls the respective image. See the [full list of tags :octicons-link-external-16:](https://hub.docker.com/r/percona/percona-distribution-postgresql/tags/).     
-    
+    * `{{dockertag}}` is the tag specifying the version you need. Docker identifies the architecture (x86_64 or ARM64) and pulls the respective image. See the [full list of tags :octicons-link-external-16:](https://hub.docker.com/r/percona/percona-distribution-postgresql/tags/).
 
-    !!! tip     
+    !!! tip
 
         You can secure the password by exporting it to the environment file and using that to start the container.    
 
@@ -60,15 +59,14 @@ For more information about using Docker, see the [Docker Docs :octicons-link-ext
             $ docker run --name container-name --env-file ./.my-pg.env -d percona/percona-distribution-postgresql:{{dockertag}}
             ```
 
-2. Connect to the container's interactive terminal: 
+2. Connect to the container's interactive terminal:
 
     ```{.bash data-prompt="$"}
     $ docker exec -it container-name bash
     ```
 
     The `container-name` is the name of the container that you started in the previous step.
 
-
 ## Connect to Percona Distribution for PostgreSQL from an application in another Docker container
 
 This image exposes the standard PostgreSQL port (`5432`), so container linking makes the instance available to other containers. Start other containers like this in order to link it to the Percona Distribution for PostgreSQL container:
@@ -79,8 +77,8 @@ $ docker run --name app-container-name --network container:container-name -d app
 
 where:
 
-* `app-container-name` is the name of the container where your application is running, 
-* `container name` is the name of your Percona Distribution for PostgreSQL container, and 
+* `app-container-name` is the name of the container where your application is running,
+* `container name` is the name of your Percona Distribution for PostgreSQL container, and
 * `app-that-uses-postgresql` is the name of your PostgreSQL client.
 
 ## Connect to Percona Distribution for PostgreSQL from the `psql` command line client
@@ -95,15 +93,14 @@ Where:
 
 * `db-container-name` is the name of your database container
 * `container-name` is the name of your container that you will use to connect to the database container using the `psql` command line client
-* `{{dockertag}}` is the tag specifying the version you need. Docker identifies the architecture (x86_64 or ARM64) and pulls the respective image. 
-* `address` is the network address where your database container is running. Use 127.0.0.1, if the database container is running on the local machine/host.   
+* `{{dockertag}}` is the tag specifying the version you need. Docker identifies the architecture (x86_64 or ARM64) and pulls the respective image.
+* `address` is the network address where your database container is running. Use 127.0.0.1, if the database container is running on the local machine/host.
 
 ## Enable encryption
 
-Percona Distribution for PostgreSQL Docker image includes the `pg_tde` extension to provide data encryption. You must explicitly enable it when you start the container. 
+Percona Distribution for PostgreSQL Docker image includes the `pg_tde` extension to provide data encryption. You must explicitly enable it when you start the container. For more information, see the [`pg_tde` documentation](https://docs.percona.com/pg-tde/index.html).
 
-Here's how to do this:
-{.power-number}
+Follow these steps to enable `pg_tde`:
 
 1. Start the container with the `ENABLE_PG_TDE=1` environment variable:
 
@@ -112,11 +109,10 @@ Here's how to do this:
     ```
 
     where:
-    
+
     * `container-name` is the name you assign to your container
     * `ENABLE_PG_TDE=1` adds the `pg_tde` to the `shared_preload_libraries` and enables the custom storage manager
-    * `POSTGRES_PASSWORD` is the superuser password 
-
+    * `POSTGRES_PASSWORD` is the superuser password
 
 2. Connect to the container and start the interactive `psql` session:
 
@@ -139,20 +135,21 @@ Here's how to do this:
     CREATE EXTENSION pg_tde;
     ```
 
-4. Configure a key provider. In this sample configuration intended for testing and development purpose, we use a local keyring provider. 
+4. Configure a key provider with a keyring file. This setup is intended for development and stores the keys unencrypted in the specified data file. The below sample configuration is intended for testing and development purposes.
 
-    For production use, set up an external key management store and configure an external key provider. Refer to the [Setup :octicons-link-external-16:](https://docs.percona.com/pg-tde/setup.html#key-provider-configuration) chapter in the `pg_tde` documentation.
+    !!! note
+         For production use, we **strongly recommend** setting up an external key management store and configure an external key provider. Refer to the [Setup :octicons-link-external-16:](https://docs.percona.com/pg-tde/setup.html#key-provider-configuration) topic in the `pg_tde` documentation.
 
     <i warning>:material-information: Warning:</i> This example is for testing purposes only:
 
 	```sql
-	SELECT pg_tde_add_key_provider_file('file-keyring','/tmp/pg_tde_test_local_keyring.per');
+	SELECT pg_tde_add_database_key_provider_file('provider-name','/path/to/the/keyring/data.file');
     ```
 
 5. Add a principal key
 
     ```sql
-    SELECT pg_tde_set_principal_key('test-db-master-key','file-keyring');
+    SELECT pg_tde_set_key_using_database_key_provider('name-of-the-key', 'provider-name','ensure_new_key');
     ```
 
     The key is autogenerated. You are ready to use data encryption.
@@ -180,7 +177,7 @@ To enable the `pg_stat_monitor` extension after launching the container, do the
    \d pg_stat_monitor;
    ```
 
-??? example "Output"   
+??? example "Output"
 
     ```
                              View "public.pg_stat_monitor"
@@ -228,6 +225,5 @@ To enable the `pg_stat_monitor` extension after launching the container, do the
     wait_event_type     | text                     |           |          |
     ```
 
-Note that the `pg_stat_monitor` view is available only for the databases where you enabled it. If you create a new database, make sure to create the view for it to see its statistics data.
-
-
+!!! note
+     The `pg_stat_monitor` view is available only for the databases where you enabled it. If you create a new database, make sure to create the view for it to see its statistics data.
