Skip to content
Percona Software for PostgreSQL Documentation

For help, click the link below to get free database assistance or contact our experts for personalized support.

Get help from Percona

Global Principal Key Configuration

You can configure a default principal key using a global key provider. This key will be used by all databases that do not have their own encryption keys configured. The function both sets the principal key and rotates internal keys as needed.

Create a default principal key

To configure a global principal key, run:

SELECT pg_tde_set_default_key_using_global_key_provider(
    'key-name',
    'global_vault_provider',
    'false'  -- or 'true', or omit entirely
);

Parameter description

  • key-name is the name under which the principal key is stored in the provider.
  • global_vault_provider is the name of the global key provider you previously configured.
  • Third parameter (optional):
    • true requires the key to be newly created. If the key already exists, the function fails.
    • false or omitted (default), allows reuse of an existing key if it exists. If not, a new key is created under the specified name.

How key generation works

If the specified key does not exist, a new encryption key is created under the given name. In this case, the key material (actual cryptographic key) is auto-generated by pg_tde and stored securely by the configured provider.

Note

This process sets the default principal key for the server. Any database without its own key configuration will use this key.

Example

This example is for testing purposes only. Replace the key name and provider name with your values:

SELECT pg_tde_set_key_using_global_key_provider(
    'test-db-master-key',
    'file-vault',
    'false'
);

Next steps

Validate Encryption with pg_tde