Merge pull request #6661 from EnterpriseDB/docs/edits_to_thales_pr6606

Edits to [TDE Thales CipherTrust client ] REST API integration #6606

Author: gvasquezvargas

Diff for: product_docs/docs/tde/15/secure_key/key_store/entrust/index.mdx

@@ -6,4 +6,4 @@ deepToC: true
 
 ## Configuration guide
 
-See the [EDB Postgres and Entrust KeyControl](https://www.entrust.com/sites/default/files/2024-03/edb-postgres-and-entrust-keycontrol-ig.pdf) integration guide for installation, configuration and usage instructions (including key rotation).
+See the [EDB Postgres and Entrust KeyControl](https://www.entrust.com/sites/default/files/2024-03/edb-postgres-and-entrust-keycontrol-ig.pdf) integration guide for installation, configuration, and usage instructions, including key rotation.

Diff for: product_docs/docs/tde/15/secure_key/key_store/thales/index.mdx

@@ -4,8 +4,8 @@ description: Learn how to secure your encryption key with a Thales CipherTrust M
 deepToC: true
 ---
 
-You can configure TDE to use an external key from Thales CipherTrust Manager to wrap the data encryption key with a key from the Thales key store. You can either use `pykmip`, or the Thales REST API to perform the cryptographic operations of the integration. 
+You can configure TDE to use an external key from Thales CipherTrust Manager to wrap the data encryption key with a key from the Thales key store. You can use either pykmip or the Thales REST API to perform the cryptographic operations of the integration. 
 
--  To use the Python library `pykmip` for cryptographic operations with Thales CipherTrust Manager, see [Using pykmip](/partner_docs/ThalesCipherTrustManager/05-UsingThalesCipherTrustManager/) in the [Implementing Thales CipherTrust Manager](/partner_docs/ThalesCipherTrustManager/) documentation for instructions. `pykmip` is a Python library that implements the KMIP industry standard for key management operations.
+-  To use the Python library pykmip for cryptographic operations with Thales CipherTrust Manager, see [Using pykmip](/partner_docs/ThalesCipherTrustManager/05-UsingThalesCipherTrustManager/) in the [Implementing Thales CipherTrust Manager](/partner_docs/ThalesCipherTrustManager/) documentation for instructions. pykmip is a Python library that implements the KMIP industry standard for key management operations.
 
--  To use Thales REST API for cryptographic operations with Thales CipherTrust Manager, [install the EDB TDE Thales REST API client](installing_thales_client) and then [configure it for usage with TDE](/tde/latest/secure_key/key_store/thales/thales_restapi). The REST API allows operations to directly connect to Thales CipherTrust, bypassing other intermediate protocols.
+-  To use the Thales REST API for cryptographic operations with Thales CipherTrust Manager, [install the EDB TDE Thales REST API client](installing_thales_client) and then [configure it for use with TDE](/tde/latest/secure_key/key_store/thales/thales_restapi). The REST API allows operations to directly connect to Thales CipherTrust, bypassing other intermediate protocols.

Diff for: product_docs/docs/tde/15/secure_key/key_store/thales/installing_thales_client/index.mdx

@@ -7,7 +7,7 @@ navigation:
   - linux_x86_64
 ---
 
-Select a link to access the applicable installation instructions:
+Select a link to access the applicable installation instructions.
 
 ## Linux [x86-64 (amd64)](linux_x86_64)
 

Diff for: product_docs/docs/tde/15/secure_key/key_store/thales/thales_restapi.mdx

@@ -5,7 +5,7 @@ description: Learn how to secure your encryption key with a Thales management ke
 deepToC: true
 ---
 
-You can configure TDE to use an external key from Thales CipherTrust Manager to wrap the data encryption key. This integration uses Thales REST API to allow cryptographic operations by directly connecting to Thales CipherTrust Manager, bypassing other intermediate protocols.
+You can configure TDE to use an external key from Thales CipherTrust Manager to wrap the data encryption key. This integration uses the Thales REST API to allow cryptographic operations by directly connecting to Thales CipherTrust Manager, bypassing other intermediate protocols.
 
 To implement this integration, EDB provides two scripts that simplify processes:
 
@@ -29,8 +29,8 @@ The configuration process consists in the following steps:
 
 ## Prerequisites
 
-- Ensure you have Python3 installed. You can check with `python3 --version`. Otherwise, [install it](https://www.python.org/downloads/). 
-- Ensure your Python3 installation includes the base64 encode and decode library (included by default).
+- Ensure you have Python3 installed. You can check to see if it's installed with `python3 --version`. If it's not installed, [install it](https://www.python.org/downloads/). 
+- Ensure your Python3 installation includes the base64 encode and decode library, which is included by default.
 - Install the [/jq command line JSON parser](https://jqlang.org/).
 
 ## Installing the EDB TDE Thales REST API client packages
@@ -41,45 +41,31 @@ See [Installing EDB TDE Thales REST](/tde/latest/secure_key/key_store/thales/ins
 
 ## Creating a certificate for authentication
 
-Create a Certificate Signing Request (CSR) and then provide that CSR to a Certificate Authority (CA), so it can generate a certificate.
+Create a certificate signing request (CSR). Then provide that CSR to a certificate authority (CA) so it can generate a certificate.
 
 1.  Access your Thales CipherTrust Manager instance. 
 
-1.  Navigate to the **CSR tool** under **CA**:
+1.  Under **CA**, select **CSR Tool**.
 
-    ![Navigate to CSR tool](./images/01_CSR_tool.png)
-
-1.  Create a CSR. Ensure you select the RSA option, `2048` size and then select **Create**: 
-
-    ![Create CSR](./images/02_CSR_creation.png)
+1.  Create a CSR. Select the RSA algorithm and set the size to 2048. Select **Create**. 
 
-1.  In the same pop-up window, after the certificate has been created, select **save csr** and **save private key** to download a `CSR.pem` and `key.pem` file.
-
-	![Download the CSR](./images/03_CSR_creation_download.png)
-
-1.  Provide a CSR to a certificate authority (CA) so it can generate a certificate. Navigate to **CA** > **Local**.
+1.  To download a `CSR.pem` and `key.pem` file, after the certificate is created, in the same dialog box, select **save csr** and **save private key** .
 
-    ![Navigate to local CA](./images/04_local_CA.png)
+1.  Provide a CSR to a CA so it can generate a certificate. Under **CA**, select **Local**.
 
-1.  Select a CA. You can use the default local CA provided by CipherTrust. Then, select **Upload CSR**:
+1.  Select a CA. You can use the default local CA provided by CipherTrust. Then select **Upload CSR**.
 
-    ![Upload CSR to CA](./images/05_local_CA_selected.png)
-
-1.  Enter the previously assigned **Display name**, paste the contents of the downloaded `CSR.pem` file and select **Issue Certificate**:
-    
-	![Enter CSR details to issue a certificate](./images/06_enter_pem_contents.png)
+1.  Enter the previously assigned **Display name**, paste the contents of the downloaded `CSR.pem` file, and select **Issue Certificate**.
 
 1.  Download the `Certificate.pem` certificate: 
 
     ![Download the issued certificate](./images/07_download_certificate.png)
 
-1.  Update your user configuration to allow certificate-based login. Navigate to **Access Management** > **Users** and select your user.
+1.  Update your user configuration to allow certificate-based login. Under **Access Management**, select **Users** and select your user.
 
-1.  Under **LOGIN**, enable **Allow user to login using certificate**, and enter a Certificate Subject Distinguished Name with `CN=` prefix: 
+1.  Under **LOGIN**, enable **Allow user to login using certificate**, and enter a value in **Certificate Subject Distinguished Name**. Use a `CN=` prefix. 
 
-    ![Enable user to connect through certificate](./images/08_update_user_cert_login.png)
-
-You should now have downloaded three pem files: `CSR.pem`, `key.pem` and `Certificate.pem`. Ensure you store them in an accessible location.
+You downloaded three .pem files: `CSR.pem`, `key.pem`, and `Certificate.pem`. Store them in an accessible location.
 
 ## Creating an AES key on Thales CipherTrust Manager
 
@@ -104,13 +90,13 @@ To create an AES 256 key, you can execute the downloaded script, which ensures t
     export SERVER_USER='user' 
     ```
 
-1.  Execute `edb_tde_createkey.py` to create they key. To execute it correctly, you need:
+1.  To create they key, execute `edb_tde_createkey.py`. To execute it correctly, you need:
 
-    - A key name to identify your key. Replace `key_name` in the example with an identifiable name of your choice. 
+    - A key name to identify your key. Replace `<key_name>` in the example with an identifiable name of your choice. 
 
-    - The `uid` of the user that created the certificate. You can find the user `uid` in the Thales CipherTrust Manager, under **Access Management** > **Users**, select your user. The user `uid` information is a sequence of digits and letters, e.g. `local|285xxxfb-xxxb-4xxx-9339-2d58xxx60ae6`.
+    - The uid of the user that created the certificate. You can find the user uid in the Thales CipherTrust Manager. Under **Access Management**, select **Users**, then select your user. The user uid information is a sequence of digits and letters, for example, `local|285xxxfb-xxxb-4xxx-9339-2d58xxx60ae6`.
 
-    - The path to the `edb_tde_createkey.py` script installed by the packages. In RPM-based systems, the default location is `/usr/edb/tde/rest/client/edb_tde_createkey.py` and in Debian, `/usr/lib/edb/tde/rest/client/edb_tde_createkey.py`.
+    - The path to the `edb_tde_createkey.py` script installed by the packages. In RPM-based systems, the default location is `/usr/edb/tde/rest/client/edb_tde_createkey.py`. In Debian, it's `/usr/lib/edb/tde/rest/client/edb_tde_createkey.py`.
 
     Replace these values in the example:
 
@@ -119,16 +105,16 @@ To create an AES 256 key, you can execute the downloaded script, which ensures t
       <key_name> "<local|285xxxfb-xxxb-4xxx-9339-2d58xxx60ae6>"
     __OUTPUT__
     {"id":"f3d59d0a8fce45c7bdf3311bc51c4606292def6195674cf393bda793892f23cb"
-    "uri":"kylo:kylo:vault:keys:key_name-v0"
+    "uri":"kylo:kylo:vault:keys:<key_name>-v0"
     "account":"kylo:kylo:admin:accounts:kylo"
     "application":"ncryptify:gemalto:admin:apps:kylo"
     "devAccount":"ncryptify:gemalto:admin:accounts:gemalto"
-    "createdAt":"2025-03-12T10:01:03.945017Z","name":"key_name"
+    "createdAt":"2025-03-12T10:01:03.945017Z","name":"<key_name>"
     "updatedAt":"2025-03-12T10:01:03.945017Z"
     "activationDate":"2025-03-12T10:01:03.941793Z","state":"Active"
     "usage":"blob","usageMask":12,"meta":{"ownerId":"local
     a0a89746-5db8-47d3-a64f-149b89d552a5"},"objectType":"Symmetric Key"
-    "aliases":[{"alias":"key_name","type":"string","index":0}]
+    "aliases":[{"alias":"<key_name>","type":"string","index":0}]
     "sha1Fingerprint":"5d1b81ce34778509"
     "sha256Fingerprint":"8b5c455ea3a5689409ef50a0b762d94ed64c8e331116bec6be042
     12bc302c9e","defaultIV":"a4aa6956fe05512b63841f51be28b4ae","version":0
@@ -140,7 +126,7 @@ To create an AES 256 key, you can execute the downloaded script, which ensures t
     ```
 
     !!!note
-       Note down the key `id` (first line of output), as you will need it later.
+       Record the key `id` (first line of output), as you'll need it later.
 
 Alternatively, you can create a key manually using the Thales CipherTrust Manager portal.
 
@@ -156,11 +142,11 @@ Next, export the encryption and decryption commands as environment variables for
 
 1.  Set the wrapping and unwrapping commands that will perform encryption and decryption. To set them correctly, you need: 
 
-    - The `key_name` you assigned to the key during creation.
+    - The `key_name` value you assigned to the key during creation.
 
     - The AES key `id`, which you can find in the output of the key creation command or look up in the Thales CipherTrust Manager portal.
 
-    - The path to the `edb_tde_crypto.py` script installed by the packages. In RPM-based systems, the default location is `/usr/edb/tde/rest/client/edb_tde_crypto.py`, and in Debian, `/usr/lib/edb/tde/rest/client/edb_tde_crypto.py`. 
+    - The path to the `edb_tde_crypto.py` script installed by the packages. In RPM-based systems, the default location is `/usr/edb/tde/rest/client/edb_tde_crypto.py`. In Debian, it's `/usr/lib/edb/tde/rest/client/edb_tde_crypto.py`. 
 
     Replace these values in the example:
 
@@ -169,5 +155,4 @@ Next, export the encryption and decryption commands as environment variables for
     export PGDATAKEYUNWRAPCMD='python3 /usr/edb/tde/rest/client/edb_tde_crypto.py decrypt %p <id> | jq -r '.plaintext' | base64 -d'
     ```
 
-1.  You can now [initialize a TDE-enabled database cluster](/tde/latest/initdb_tde_options/#option---data-encryption-or--y) with `initdb --data-encryption`. TDE will fall back on the exported `PGDATAKEYWRAPCMD` and `PGDATAKEYUNWRAPCMD` commands for the wrapping and unwrapping of data encryption keys. 
-
+1.  You can now [initialize a TDE-enabled database cluster](/tde/latest/initdb_tde_options/#option---data-encryption-or--y) with `initdb --data-encryption`. TDE falls back on the exported `PGDATAKEYWRAPCMD` and `PGDATAKEYUNWRAPCMD` commands for wrapping and unwrapping data encryption keys.