Implemented fixes and improvements

Author: gvasquezvargas

product_docs/docs/tde/15/enabling/enabling_tde.mdx

@@ -17,8 +17,8 @@ This example uses EDB Postgres Advanced Server 16 running on a Linux platform. I
 1. Set the data encryption key (wrap) and decryption (unwrap) environment variables:
 
    ```shell
-   export PGDATAKEYWRAPCMD='openssl enc -e -aes-128-cbc -pass pass:<password> -out "%p"'
-   export PGDATAKEYUNWRAPCMD='openssl enc -d -aes-128-cbc -pass pass:<password> -in "%p"'
+   export PGDATAKEYWRAPCMD='openssl enc -e -aes-128-cbc -pbkdf2 -pass pass:<password> -out "%p"'
+   export PGDATAKEYUNWRAPCMD='openssl enc -d -aes-128-cbc -pbkdf2 -pass pass:<password> -in "%p"'
    ```
 
    !!!note

product_docs/docs/tde/15/enabling/enabling_tde_epas.mdx

@@ -54,8 +54,8 @@ Use [pg_dumpall](https://www.postgresql.org/docs/current/app-pg-dumpall.html), [
 1.  Set environment variables to export the `wrap` and `unwrap` commands:
 
     ```
-    export PGDATAKEYWRAPCMD='openssl enc -e -aes-128-cbc -pass pass:ok -out "%p"'
-    export PGDATAKEYUNWRAPCMD='openssl enc -d -aes-128-cbc -pass pass:ok -in "%p"'
+    export PGDATAKEYWRAPCMD='openssl enc -e -aes-128-cbc -pbkdf2 -pass pass:ok -out "%p"'
+    export PGDATAKEYUNWRAPCMD='openssl enc -d -aes-128-cbc -pbkdf2 -pass pass:ok -in "%p"'
     ```
 
     !!!note

product_docs/docs/tde/15/enabling/postgres_to_extended.mdx

@@ -54,8 +54,8 @@ This example upgrades a PostgreSQL 16 instance to EDB Postgres Extended Server 1
 1.  Set environment variables to export the `wrap` and `unwrap` commands:
 
     ```
-    export PGDATAKEYWRAPCMD='openssl enc -e -aes-128-cbc -pass pass:ok -out "%p"'
-    export PGDATAKEYUNWRAPCMD='openssl enc -d -aes-128-cbc -pass pass:ok -in "%p"'
+    export PGDATAKEYWRAPCMD='openssl enc -e -aes-128-cbc -pbkdf2 -pass pass:ok -out "%p"'
+    export PGDATAKEYUNWRAPCMD='openssl enc -d -aes-128-cbc -pbkdf2 -pass pass:ok -in "%p"'
     ```
 
     !!!note

product_docs/docs/tde/15/encrypted_files/wal_files.mdx

@@ -41,7 +41,7 @@ Alternatively, you can set the `PGDATAKEYUNWRAPCMD` environment variable before
 This example uses `pg_waldump` to display the WAL log of an encrypted cluster that uses `openssl` to wrap the data encryption key: 
 
 ```
-pg_waldump --data-encryption --key-file-name=pg_encryption/key.bin --key-unwrap-command='openssl enc -d -aes-128-cbc -pass pass:<passphrase> -in "%p"'
+pg_waldump --data-encryption --key-file-name=pg_encryption/key.bin --key-unwrap-command='openssl enc -d -aes-128-cbc -pbkdf2 -pass pass:<passphrase> -in "%p"'
 ```
 
 ## Resetting a corrupt TDE-encrypted WAL file
@@ -59,5 +59,5 @@ Alternatively, you can set the `PGDATAKEYUNWRAPCMD` environment variable before
 This example uses `pg_resetwal` to reset a corrupt encrypted WAL log of an encrypted cluster that uses `openssl` to wrap the data encryption key:
 
 ```
-pg_resetwal --key-unwrap-command='openssl enc -d -aes-128-cbc -pass pass:<passphrase> -in" "%p"'
+pg_resetwal --key-unwrap-command='openssl enc -d -aes-128-cbc -pbkdf2 -pass pass:<passphrase> -in" "%p"'
 ```

product_docs/docs/tde/15/initdb_tde_options.mdx

@@ -11,7 +11,9 @@ Adds transparent data encryption when initializing a database server.
 
 ### Supported values
 
-You can optionally specify an AES key length. Valid values are 128 and 256. The default is 128.
+You can optionally specify an AES key length in the form of `--data-encryption[=KEYLEN]`. 
+
+Valid values are 128 and 256. The default is 128.
 
 ## Option: `--key-wrap-command=<command>`
 

product_docs/docs/tde/15/secure_key/disabling_key.mdx

@@ -4,6 +4,14 @@ description: Learn how to omit using a wrapping key.
 deepToc: true
 ---
 
-If you don't want key wrapping, for example for testing, then you must set the wrap and unwrap commands to the special value `-`.
+If you don't want key wrapping, for example for testing purposes, you have two options: 
 
-This setting specifies to use the key from the file without further processing. This approach differs from not setting a wrap or unwrap command at all and from setting either or both to an empty string. Having no wrap or unwrap command set when TDE is used leaves your data encryption key unsecured and results in a fatal error when running an affected utility program.
+- You can set the wrap and unwrap commands to the special value `-` when initializing the cluster with `initdb`. For example, with the flags `--key-wrap-command=-` and `--key-unwrap-command=-`.
+
+  With this configuration TDE generates encryption key files, but leaves them unprotected.
+
+- You can disable key wrapping when initializing the cluster with `initdb` by adding the flag `--no-key-wrap`.
+
+  With this configuration TDE generates encryption key files, but leaves them unprotected.
+
+For `intidb --data-encryption` to run successfully, you have to either, specify a wrapping/unwrapping command, set a fallback environment variable with wrapping/unwrapping commands, or disable key wrapping with the one of the previous mechanisms. Otherwise, the database cluster will fail.