Skip to content
Percona Software for PostgreSQL Documentation

For help, click the link below to get free database assistance or contact our experts for personalized support.

Get help from Percona

Global Principal Key Configuration

You can configure a default principal key using a global key provider. This key will be used by all databases that do not have their own encryption keys configured. The function both sets the principal key and rotates internal keys as needed.

Create a default principal key

To create a global principal key, run:

SELECT pg_tde_create_key_using_global_key_provider(
    'key-name',
    'global_vault_provider'
);

Configure a default principal key

To configure a global principal key, run:

SELECT pg_tde_set_default_key_using_global_key_provider(
    'key-name',
    'global_vault_provider'
);

Parameter description

  • key-name is the name under which the principal key is stored in the provider.
  • global_vault_provider is the name of the global key provider you previously configured.

How key generation works

The key material (actual cryptographic key) is auto-generated by pg_tde and stored securely by the configured provider.

Note

This process sets the default principal key for the server. Any database without its own key configuration will use this key.

Example

This example is for testing purposes only. Replace the key name and provider name with your values:

SELECT pg_tde_create_key_using_global_key_provider(
    'test-db-master-key',
    'file-vault'
);

SELECT pg_tde_set_key_using_global_key_provider(
    'test-db-master-key',
    'file-vault'
);

Next steps

Validate Encryption with pg_tde