Skip to content
Percona Software for PostgreSQL Documentation

For help, click the link below to get free database assistance or contact our experts for personalized support.

Get help from Percona

Keyring file configuration

This setup is intended for development and stores the keys, unencrypted, in a data file you specify.

Note

While keyring files may be acceptable for local or testing environments, proper KMS providers are the recommended approach for production deployments.

You can configure key providers either at the database level (for development and testing) or at the global level (for production).

The steps below provide an example on how to add a database-scoped key provider:

  1. Create a database-scoped file key provider (file-keyring in this example) in the /tmp/pg_tde_test_local_keyring.per file:

    SELECT pg_tde_add_database_key_provider_file(
    'file-keyring',
    '/tmp/pg_tde_test_local_keyring.per'
);

  2. Create a key (my_default_key in this example) inside the newly created file-keyring provider:

    SELECT pg_tde_create_key_using_database_key_provider(
    'my_default_key',
    'file-keyring'
);

  3. Set the key (my_default_key) from the key provider (file-keyring):

    SELECT pg_tde_set_key_using_database_key_provider(
    'my_default_key',
    'file-keyring'
);

    Tip

    You can check the default key information (such as the date and time of creation). Run:

    SELECT pg_tde_default_key_info();

  4. Now, create a table using tde_heap:

    CREATE TABLE customer_table (a INT) USING tde_heap;

    The newly created table is encrypted with the default key you have set (my_default_key).

    Tip

    To check if your created table is encrypted with tde_heap, run:

    \d+ test1

    If Access method: tde_heap, then your table is encrypted.

    Example output 
    postgres=# \d+ test1
                                    Table "public.test1"
Column |  Type   | Collation | Nullable | Default | Storage | Compression | Stats target | Description
--------+---------+-----------+----------+---------+---------+-------------+--------------+-------------
a      | integer |           |          |         | plain   |             |              |
Access method: tde_heap

Further reading

Next, for production deployments, configure a global principal key using a proper KMS provider.

Alternatively, you can skip directly to validating encryption with pg_tde or configuring WAL encryption.

You can also review the available pg_tde functions in Functions.