Global Principal Key Configuration¶
You can configure a default principal key using a global key provider. This key will be used by all databases that do not have their own encryption keys configured. The function both sets the principal key and rotates internal keys as needed.
Create a default principal key¶
To configure a global principal key, run:
SELECT pg_tde_set_default_key_using_global_key_provider(
'key-name',
'global_vault_provider',
'false' -- or 'true', or omit entirely
);
Parameter description¶
key-name
is the name under which the principal key is stored in the provider.global_vault_provider
is the name of the global key provider you previously configured.- Third parameter (optional):
true
requires the key to be newly created. If the key already exists, the function fails.false
or omitted (default), allows reuse of an existing key if it exists. If not, a new key is created under the specified name.
How key generation works¶
If the specified key does not exist, a new encryption key is created under the given name. In this case, the key material (actual cryptographic key) is auto-generated by pg_tde
and stored securely by the configured provider.
Note
This process sets the default principal key for the server. Any database without its own key configuration will use this key.
Example¶
This example is for testing purposes only. Replace the key name and provider name with your values:
SELECT pg_tde_set_key_using_global_key_provider(
'test-db-master-key',
'file-vault',
'false'
);