Skip to content
Percona Software for PostgreSQL Documentation

Rate this page
Thanks for your feedback
Thank you! The feedback has been submitted.

Get free database assistance or contact our experts for personalized support.

Get help from Percona

Default Principal Key configuration

You can configure a default principal key for the server using a global key provider. This key is used by all databases that do not have their own encryption keys configured.

Configuring the default principal key is a multi-step process that uses the following functions:

Add a global key provider

To add a global key provider, see the Key provider management topic.

Create a default principal key

Note

The sample output below is for demonstration purposes only. Be sure to replace the key name and provider with your actual values.

To create a global principal key, run:

SELECT pg_tde_create_key_using_global_key_provider(
    'key-name',
    'global_vault_provider'
);
Sample output 
    postgres=# SELECT pg_tde_create_key_using_global_key_provider(
        'keytest1',
        'file-keyring'
    );
    pg_tde_create_key_using_global_key_provider
    ---------------------------------------------

    (1 row)

Set a default principal key

To set a default principal key, run:

SELECT pg_tde_set_default_key_using_global_key_provider(
    'key-name',
    'global_vault_provider'
);
Sample output 
    postgres=# SELECT pg_tde_set_default_key_using_global_key_provider(
        'keytest1',
        'file-keyring'
    );
    pg_tde_set_default_key_using_global_key_provider 
    --------------------------------------------------

    (1 row)

Parameter description

  • key-name is the name under which the principal key is stored in the provider.
  • global_vault_provider is the name of the global key provider you previously configured.

Note

If no error is reported, the action completed successfully.

How key generation works

The key material (actual cryptographic key) is auto-generated by pg_tde and stored securely by the configured provider.

Note

This process sets the default principal key for the entire server. Any database without a key explicitly configured will fall back to this key.

Next steps

To confirm that encryption is working as expected, follow the validation steps:

Validate Encryption with pg_tde