Introduction
HAPI FHIR is an open source implementation of the HL7 FHIR standard for healthcare interoperability.
The easiest way to get started with HAPI FHIR is to use the HAPI FHIR JPA Server Starter Project.
In previous posts, we have worked to augment the HAPI FHIR JPA Server Starter Project in order to demonstrate secure access to FHIR resources.
Including:
- Support for OpenID Connect and OAuth 2.0 (e.g., SMART on FHIR)
- Secure HAPI FHIR data in transit
See: HAPI FHIR AU Starter Project
In this post, we'll use the Docker image of the Percona Distribution for PostgreSQL to encrypt data at rest.
Secure data at rest
Enable encryption
The Docker image of the Percona Distribution for PostgreSQL includes the pg_tde
extension that provides data encryption:
postgres:
container_name: postgres
image: percona/percona-distribution-postgresql:17.5
...
environment:
ENABLE_PG_TDE: 1
...
See: docker-compose.yml
ENABLE_PG_TDE: 1
adds pg_tde
to the shared_preload_libraries
entry in the postgresql.conf
file and enables the custom storage manager.
Connect to the container:
docker exec -it postgres bash
Start an interactive psql
session:
psql -U admin -d hapi-fhir
Create the pg_tde
extension in the database you want to encrypt:
\c hapi-fhir;
CREATE EXTENSION pg_tde;
Check the list of installed extensions:
hapi-fhir=# \dx
List of installed extensions
Name | Version | Schema | Description
---------+---------+------------+------------------------------
pg_tde | 1.0-rc | public | pg_tde access method
plpgsql | 1.0 | pg_catalog | PL/pgSQL procedural language
(2 rows)
Configure a key provider:
SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_001_basic.per');
You should see something like:
pg_tde_add_database_key_provider_file
---------------------------------------
1
(1 row)
Note: This sample key provider configuration is meant for development and testing purposes only, not production.
Set a principal key:
SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault');
You should see something like:
pg_tde_set_key_using_database_key_provider
--------------------------------------------
(1 row)
Alter a HAPI FHIR table to enable encryption:
ALTER TABLE hfj_resource SET ACCESS METHOD tde_heap;
You should see something like:
ALTER TABLE
Check to see if the table is encrypted:
select pg_tde_is_encrypted('hfj_resource');
You should see something like:
pg_tde_is_encrypted
---------------------
t
(1 row)
End your interactive psql
session:
\q
Source Code
- GitHub: HAPI FHIR AU Starter Project
Resources
- Percona Distribution for PostgreSQL: Docker
- Percona Community Forum: pg_tde
- GitHub: Percona PostgreSQL - Test Case 001