Rearranged key stores per provider, finished Thales integration docs

Author: gvasquezvargas

Diff for: product_docs/docs/tde/15/secure_key/key_store/aws/index.mdx

@@ -0,0 +1,23 @@
+---
+title: Using AWS KMS
+description: Learn how to secure your encryption key with an AWS KMS key.
+deepToC: true
+---
+
+## AWS configuration example
+
+Create a key with [AWS Key Management Service](https://docs.aws.amazon.com/kms/):
+
+```shell
+aws kms create-key
+aws kms create-alias --alias-name alias/pg-tde-master-1 --target-key-id "..."
+```
+
+Use the `aws kms` command with the `alias/pg-tde-master-1` key to wrap and unwrap the data encryption key:
+
+```shell
+PGDATAKEYWRAPCMD='aws kms encrypt --key-id alias/pg-tde-master-1 --plaintext fileb:///dev/stdin --output text --query CiphertextBlob | base64 -d > "%p"'
+PGDATAKEYUNWRAPCMD='aws kms decrypt --key-id alias/pg-tde-master-1 --ciphertext-blob fileb://"%p" --output text --query Plaintext | base64 -d'
+```
+!!! Note
+    Shell commands with pipes, as in this example, are problematic because the exit status of the pipe is that of the last command. A failure of the first, more interesting command isn't reported properly. Postgres handles this somewhat by recognizing whether the wrap or unwrap command wrote nothing. However, it's better to make this command more robust. For example, use the `pipefail` option available in some shells or the `mispipe` command available on some operating systems. Put more complicated commands into an external shell script or other program instead of defining them inline.

Diff for: product_docs/docs/tde/15/secure_key/key_store/azure/index.mdx

@@ -0,0 +1,22 @@
+---
+title: Using Azure KMS
+description: Learn how to secure your encryption key with an Azure Key Vault key.
+deepToC: true
+---
+
+## Configuration example
+
+Create a key with [Azure Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/):
+
+```shell
+az keyvault key create --vault-name pg-tde --name pg-tde-master-1
+```
+
+Use the `az keyvault key` command with the `pg-tde-master-1` key to wrap and unwrap the data encryption key:
+
+```shell
+PGDATAKEYWRAPCMD='az keyvault key encrypt --name pg-tde-master-1 --vault-name pg-tde --algorithm A256GCM --value @- --data-type plaintext --only-show-errors --output json | jq -r .result > "%p"'
+PGDATAKEYUNWRAPCMD='az keyvault key decrypt --name pg-tde-master-1 --vault-name pg-tde --algorithm A256GCM --value @"%p" --data-type plaintext --only-show-errors --output json | jq -r .result'
+```
+!!! Note
+    Shell commands with pipes, as in this example, are problematic because the exit status of the pipe is that of the last command. A failure of the first, more interesting command isn't reported properly. Postgres handles this somewhat by recognizing whether the wrap or unwrap command wrote nothing. However, it's better to make this command more robust. For example, use the `pipefail` option available in some shells or the `mispipe` command available on some operating systems. Put more complicated commands into an external shell script or other program instead of defining them inline.

Diff for: product_docs/docs/tde/15/secure_key/key_store/entrust/index.mdx

@@ -0,0 +1,9 @@
+---
+title: Using Entrust KMS
+description: Learn how to secure your encryption key with a Entrust KeyControl key.
+deepToC: true
+---
+
+## Configuration guide
+
+See the [EDB Postgres and Entrust KeyControl](https://www.entrust.com/sites/default/files/2024-03/edb-postgres-and-entrust-keycontrol-ig.pdf) integration guide for installation, configuration and usage instructions (including key rotation).

Diff for: product_docs/docs/tde/15/secure_key/key_store/fortanix/index.mdx

@@ -0,0 +1,9 @@
+---
+title: Using Fortanix KMS
+description: Learn how to secure your encryption key with a Fortanix Data Security Manager key.
+deepToC: true
+---
+
+## Configuration example 
+
+See [Using Fortanix Data Security Manager with EDB Postgres for TDE](https://support.fortanix.com/docs/using-fortanix-data-security-manager-with-edb-postgres-for-tde) for a step-by-step configuration tutorial.

Diff for: product_docs/docs/tde/15/secure_key/key_store/google_cloud/index.mdx

@@ -0,0 +1,20 @@
+---
+title: Using Google Cloud KMS
+description: Learn how to secure your encryption key with an Cloud Key Management Service key.
+deepToC: true
+---
+
+## Configuration example
+
+Create a key with [Google Cloud KMS](https://cloud.google.com/kms/docs):
+
+```shell
+gcloud kms keys create pg-tde-master-1 --location=global --keyring=pg-tde --purpose=encryption
+```
+
+Use the `gcloud kms` command with the `pg-tde-master-1` key to wrap and unwrap the data encryption key:
+
+```shell
+PGDATAKEYWRAPCMD='gcloud kms encrypt --plaintext-file=- --ciphertext-file=%p --location=global --keyring=pg-tde --key=pg-tde-master-1'
+PGDATAKEYUNWRAPCMD='gcloud kms decrypt --plaintext-file=- --ciphertext-file=%p --location=global --keyring=pg-tde --key=pg-tde-master-1'
+```

Diff for: product_docs/docs/tde/15/secure_key/key_store/hashicorp/index.mdx

@@ -0,0 +1,26 @@
+---
+title: Using HashiCorp KMS
+description: Learn how to secure your encryption key with a HashiCorp Vault key.
+deepToC: true
+---
+
+## Configuration example
+
+Enable transit with [HashiCorp Vault Transit Secrets Engine](https://developer.hashicorp.com/vault/docs):
+
+```shell
+vault secrets enable transit
+```
+
+Create a key and give it a name:
+
+```shell
+vault write -f transit/keys/pg-tde-master-1
+```
+
+Use the `vault write` command with the `pg-tde-master-1` key to wrap and unwrap the data encryption key:
+
+```
+PGDATAKEYWRAPCMD='base64 | vault write -field=ciphertext transit/encrypt/pg-tde-master-1 plaintext=- > "%p"'
+PGDATAKEYUNWRAPCMD='vault write -field=plaintext transit/decrypt/pg-tde-master-1 ciphertext=- < "%p" | base64 -d'
+```

Diff for: product_docs/docs/tde/15/secure_key/key_store/index.mdx

@@ -6,99 +6,12 @@ deepToC: true
 
 You can use the key store in an external key management system to manage the data encryption key. The tested and supported key stores are:
 
-- Amazon AWS Key Management Service (KMS)
-- Microsoft Azure Key Vault
-- Google Cloud - Cloud Key Management Service
-- HashiCorp Vault (KMIP Secrets Engine and Transit Secrets Engine)
-- Thales CipherTrust Manager
-- Fortanix Data Security Manager
-- Entrust KeyControl
+- [Amazon AWS Key Management Service (KMS)](aws)
+- [Microsoft Azure Key Vault](azure)
+- [Entrust KeyControl](entrust)
+- [Fortanix Data Security Manager](fortanix)
+- [Google Cloud - Cloud Key Management Service](google_cloud)
+- [HashiCorp Vault (KMIP Secrets Engine and Transit Secrets Engine)](hashicorp)
+- [Thales CipherTrust Manager](thales)
 
-To use one of the available key stores, see the configuration examples.
 
-## AWS Key Management Service example
-
-Create a key with [AWS Key Management Service](https://docs.aws.amazon.com/kms/):
-
-```shell
-aws kms create-key
-aws kms create-alias --alias-name alias/pg-tde-master-1 --target-key-id "..."
-```
-
-Use the `aws kms` command with the `alias/pg-tde-master-1` key to wrap and unwrap the data encryption key:
-
-```shell
-PGDATAKEYWRAPCMD='aws kms encrypt --key-id alias/pg-tde-master-1 --plaintext fileb:///dev/stdin --output text --query CiphertextBlob | base64 -d > "%p"'
-PGDATAKEYUNWRAPCMD='aws kms decrypt --key-id alias/pg-tde-master-1 --ciphertext-blob fileb://"%p" --output text --query Plaintext | base64 -d'
-```
-!!! Note
-    Shell commands with pipes, as in this example, are problematic because the exit status of the pipe is that of the last command. A failure of the first, more interesting command isn't reported properly. Postgres handles this somewhat by recognizing whether the wrap or unwrap command wrote nothing. However, it's better to make this command more robust. For example, use the `pipefail` option available in some shells or the `mispipe` command available on some operating systems. Put more complicated commands into an external shell script or other program instead of defining them inline.
-
-## Azure Key Vault example
-
-Create a key with [Azure Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/):
-
-```shell
-az keyvault key create --vault-name pg-tde --name pg-tde-master-1
-```
-
-Use the `az keyvault key` command with the `pg-tde-master-1` key to wrap and unwrap the data encryption key:
-
-```shell
-PGDATAKEYWRAPCMD='az keyvault key encrypt --name pg-tde-master-1 --vault-name pg-tde --algorithm A256GCM --value @- --data-type plaintext --only-show-errors --output json | jq -r .result > "%p"'
-PGDATAKEYUNWRAPCMD='az keyvault key decrypt --name pg-tde-master-1 --vault-name pg-tde --algorithm A256GCM --value @"%p" --data-type plaintext --only-show-errors --output json | jq -r .result'
-```
-!!! Note
-    Shell commands with pipes, as in this example, are problematic because the exit status of the pipe is that of the last command. A failure of the first, more interesting command isn't reported properly. Postgres handles this somewhat by recognizing whether the wrap or unwrap command wrote nothing. However, it's better to make this command more robust. For example, use the `pipefail` option available in some shells or the `mispipe` command available on some operating systems. Put more complicated commands into an external shell script or other program instead of defining them inline.
-
-## Google Cloud KMS example
-
-Create a key with [Google Cloud KMS](https://cloud.google.com/kms/docs):
-
-```shell
-gcloud kms keys create pg-tde-master-1 --location=global --keyring=pg-tde --purpose=encryption
-```
-
-Use the `gcloud kms` command with the `pg-tde-master-1` key to wrap and unwrap the data encryption key:
-
-```shell
-PGDATAKEYWRAPCMD='gcloud kms encrypt --plaintext-file=- --ciphertext-file=%p --location=global --keyring=pg-tde --key=pg-tde-master-1'
-PGDATAKEYUNWRAPCMD='gcloud kms decrypt --plaintext-file=- --ciphertext-file=%p --location=global --keyring=pg-tde --key=pg-tde-master-1'
-```
-
-## HashiCorp Vault Transit Secrets Engine example
-
-Enable transit with [HashiCorp Vault Transit Secrets Engine](https://developer.hashicorp.com/vault/docs):
-
-```shell
-vault secrets enable transit
-```
-
-Create a key and give it a name:
-
-```shell
-vault write -f transit/keys/pg-tde-master-1
-```
-
-Use the `vault write` command with the `pg-tde-master-1` key to wrap and unwrap the data encryption key:
-
-```
-PGDATAKEYWRAPCMD='base64 | vault write -field=ciphertext transit/encrypt/pg-tde-master-1 plaintext=- > "%p"'
-PGDATAKEYUNWRAPCMD='vault write -field=plaintext transit/decrypt/pg-tde-master-1 ciphertext=- < "%p" | base64 -d'
-```
-
-## Thales CipherTrust Manager example
-
-You can configure TDE to use an external key from Thales CipherTrust Manager to wrap the data encryption key with a key from the Thales key store. You can either use `pykmip`, or the Thales REST API to perform the cryptographic operations of the integration. 
-
--  To use the Python library `pykmip` for cryptographic operations with Thales CipherTrust Manager, see [Using pykmip](/partner_docs/ThalesCipherTrustManager/05-UsingThalesCipherTrustManager/) in the [Implementing Thales CipherTrust Manager](/partner_docs/ThalesCipherTrustManager/) documentation for instructions. `pykmip` is a Python library that implements the KMIP industry standard for key management operations.
-
--  To use Thales REST API for cryptographic operations with Thales CipherTrust Manager, see [Using Thales REST API](/tde/latest/secure_key/key_store/thales_restapi). The REST API allows operations to directly connect to Thales CipherTrust, bypassing other intermediate protocols.
-
-## Fortanix Data Security Manager example 
-
-See [Using Fortanix Data Security Manager with EDB Postgres for TDE](https://support.fortanix.com/docs/using-fortanix-data-security-manager-with-edb-postgres-for-tde) for a step-by-step configuration tutorial.
-
-## Entrust KeyControl integration guide
-
-See the [EDB Postgres and Entrust KeyControl](https://www.entrust.com/sites/default/files/2024-03/edb-postgres-and-entrust-keycontrol-ig.pdf) integration guide for installation, configuration and usage instructions (including key rotation).

Diff for: product_docs/docs/tde/15/secure_key/key_store/images/01_CSR_tool.png renamed to product_docs/docs/tde/15/secure_key/key_store/thales/images/01_CSR_tool.png

@@ -0,0 +1,11 @@
+---
+title: Using Thales KMS
+description: Learn how to secure your encryption key with a Thales CipherTrust Manager key.
+deepToC: true
+---
+
+You can configure TDE to use an external key from Thales CipherTrust Manager to wrap the data encryption key with a key from the Thales key store. You can either use `pykmip`, or the Thales REST API to perform the cryptographic operations of the integration. 
+
+-  To use the Python library `pykmip` for cryptographic operations with Thales CipherTrust Manager, see [Using pykmip](/partner_docs/ThalesCipherTrustManager/05-UsingThalesCipherTrustManager/) in the [Implementing Thales CipherTrust Manager](/partner_docs/ThalesCipherTrustManager/) documentation for instructions. `pykmip` is a Python library that implements the KMIP industry standard for key management operations.
+
+-  To use Thales REST API for cryptographic operations with Thales CipherTrust Manager, [install the EDB TDE Thales REST API client](installing_thales_client) and then [configure it for usage with TDE](/tde/latest/secure_key/key_store/thales/thales_restapi). The REST API allows operations to directly connect to Thales CipherTrust, bypassing other intermediate protocols.

Diff for: product_docs/docs/tde/15/secure_key/key_store/images/02_CSR_creation.png renamed to product_docs/docs/tde/15/secure_key/key_store/thales/images/02_CSR_creation.png

@@ -0,0 +1,16 @@
+---
+navTitle: Installing
+title: Installing EDB TDE Thales REST API client on Linux
+indexCards: none
+
+navigation:
+  - linux_x86_64
+---
+
+Select a link to access the applicable installation instructions:
+
+## Linux [x86-64 (amd64)](linux_x86_64)
+
+### Red Hat Enterprise Linux (RHEL) and derivatives
+
+- [RHEL 8](linux_x86_64/edb-tde-rest-client_rhel_8)

Diff for: product_docs/docs/tde/15/secure_key/key_store/images/03_CSR_creation_download.png renamed to product_docs/docs/tde/15/secure_key/key_store/thales/images/03_CSR_creation_download.png

@@ -0,0 +1,36 @@
+---
+navTitle: RHEL 8 or OL 8
+title: Installing EDB TDE Thales REST API on RHEL 8 or OL 8 x86_64
+---
+
+## Prerequisites
+
+Before you begin the installation process:
+
+- Set up the EDB repository.
+
+  Setting up the repository is a one-time task. If you have already set up your repository, you don't need to perform this step.
+
+  To determine if your repository exists, enter this command:
+
+  `dnf repolist | grep enterprisedb`
+
+  If no output is generated, the repository isn't installed.
+
+  To set up the EDB repository:
+
+  1. Go to [EDB repositories](https://www.enterprisedb.com/repos-downloads).
+
+  1. Select the button that provides access to the EDB repository.
+
+  1. Select the platform and software that you want to download.
+
+  1. Follow the instructions for setting up the EDB repository.
+
+## Install the package
+
+Install the EDB TDE REST API client (packaged as `edb-tde-rest-client`):
+
+```shell
+sudo dnf install edb-tde-rest-client
+```

Diff for: product_docs/docs/tde/15/secure_key/key_store/images/04_local_CA.png renamed to product_docs/docs/tde/15/secure_key/key_store/thales/images/04_local_CA.png

@@ -0,0 +1,17 @@
+---
+title: "Installing EDB TDE Thales REST API client on Linux x86 (amd64)"
+navTitle: "On Linux x86"
+indexCards: none
+
+navigation:
+  - edb-tde-rest-client_rhel_8
+---
+
+Operating system-specific install instructions are described in the corresponding documentation:
+
+### Red Hat Enterprise Linux (RHEL) and derivatives
+
+
+- [RHEL 8](edb-tde-rest-client_rhel_8)
+
+- [Oracle Linux (OL) 8](edb-tde-rest-client_rhel_8)