Top
Enterprise Postgres 14 SP1 Operation Guide
FUJITSU Software

6.2 Setting the Master Encryption Key

To use transparent data encryption, you must create a keystore and set the master encryption key.

  1. Load the shared_preload_libraries parameter in postgresql.conf with the library name "tde _ kms"

    shared_preload_libraries = 'tde_kms'
  2. Set the tde_kms.kms_conninfo_file parameter in postgresql.conf to a file that contains key management system connection information. Refer to "Appendix A Parameters" for information.

    Example for the key management system connection information file kms_conninfo.conf

    tde_kms.kms_conninfo_file = 'kms_conninfo.conf'

    Example of key management system connection information file

    kmip   mykmipsvr  mykmipsvr.example.com   5696   cert   sslcert=postgres.crt   sslkey=postgres.key sslrootcert=root.crt
  3. Execute a CREATE EXTENSION statement to install the extension.

    CREATE EXTENSION tde_kms;
  4. To enable transparent data encryption, call the pgx_declare_external_master_key function to declare the encryption key to use as the master encryption key. Refer to "B.2.3 pgx_declare_external_master_key" for information on the pgx_declare_external_master_key function.

    SELECT pgx_declare_external_master_key( kms_name => 'mykmipsvr', key_id => 'a0eebc99-9c0b-0000-0000-000000000000', sslpassphrase => 'mykmippassphrase' );