Skip to content

For help, click the link below to get free database assistance or contact our experts for personalized support.

Key management overview

In production environments, storing encryption keys locally on the PostgreSQL server can introduce security risks. To enhance security, pg_tde supports integration with external Key Management Systems (KMS) through a Global Key Provider interface.

This section describes how you can configure pg_tde to use the local and external key providers. To use an external KMS with pg_tde, follow these two steps:

  1. Configure a Key Provider
  2. Set the Global Principal Key

Note

While key files may be acceptable for local or testing environments, KMS integration is the recommended approach for production deployments.

Warning

Do not rotate encryption keys while pg_basebackup is running. Standbys or standalone clusters created from such backups may fail to start during WAL replay. Schedule rotations outside your backup windows and run a new full backup afterward.

pg_tde has been tested with the following key providers:

KMS Provider Description Documentation
KMIP Standard Key Management Interoperability Protocol. Configure KMIP →
Vault HashiCorp Vault integration (KV v2 API, KMIP engine). Configure Vault →
Fortanix Fortanix DSM key management. Configure Fortanix →
Thales Thales CipherTrust Manager and DSM. Configure Thales →
OpenBao Community fork of Vault, supporting KV v2. Configure OpenBao →
Keyring file (not recommended) Local key file for dev/test only. Configure keyring file →