Global Principal Key configuration¶
You can configure a default principal key using a global key provider. This key will be used by all databases that do not have their own encryption keys configured. The function both sets the principal key and rotates internal keys as needed.
Create a default principal key¶
Note
The sample output below is for demonstration purposes only. Be sure to replace the key name and provider with your actual values.
To create a global principal key, run:
SELECT pg_tde_create_key_using_global_key_provider(
'key-name',
'global_vault_provider'
);
Sample output
postgres=# SELECT pg_tde_create_key_using_global_key_provider(
'keytest1',
'file-keyring'
);
pg_tde_create_key_using_global_key_provider
---------------------------------------------
(1 row)
Configure a default principal key¶
To configure a global principal key, run:
SELECT pg_tde_set_default_key_using_global_key_provider(
'key-name',
'global_vault_provider'
);
Sample output
postgres=# SELECT pg_tde_set_default_key_using_global_key_provider(
'keytest1',
'file-keyring'
);
pg_tde_set_default_key_using_global_key_provider
--------------------------------------------------
(1 row)
Parameter description¶
key-nameis the name under which the principal key is stored in the provider.global_vault_provideris the name of the global key provider you previously configured.
Note
If no error is reported, the action completed successfully.
How key generation works¶
The key material (actual cryptographic key) is auto-generated by pg_tde and stored securely by the configured provider.
Note
This process sets the default principal key for the entire server. Any database without a key explicitly configured will fall back to this key.