Key management overview¶
In production environments, storing encryption keys locally on the PostgreSQL server can introduce security risks. To enhance security, pg_tde supports integration with external Key Management Systems (KMS) through a Global Key Provider interface.
This section describes how you can configure pg_tde to use the local and external key providers.
To use an external KMS with pg_tde, follow these two steps:
- Configure a Key Provider
- Set the Global Principal Key
Note
While key files may be acceptable for local or testing environments, KMS integration is the recommended approach for production deployments.
Warning
Do not rotate encryption keys while pg_basebackup is running. Standbys or standalone clusters created from such backups may fail to start during WAL replay. Schedule rotations outside your backup windows and run a new full backup afterward.
pg_tde has been tested with the following key providers:
| KMS Provider | Description | Documentation |
|---|---|---|
| KMIP | Standard Key Management Interoperability Protocol. | Configure KMIP → |
| Vault | HashiCorp Vault integration (KV v2 API, KMIP engine). | Configure Vault → |
| Fortanix | Fortanix DSM key management. | Configure Fortanix → |
| Thales | Thales CipherTrust Manager and DSM. | Configure Thales → |
| OpenBao | Community fork of Vault, supporting KV v2. | Configure OpenBao → |
| Keyring file (not recommended) | Local key file for dev/test only. | Configure keyring file → |