Top
Enterprise Postgres 14 SP1 Operation Guide
FUJITSU Software

B.2.3 pgx_declare_external_master_key

pgx_declare_external_master_key declares the use of an encryption key that exists in the key management system as the master encryption key for transparent data encryption. If the master encryption key already exists, change the master encryption key. If the keystore is not open, it is opened.

The argument specifies information that identifies the master encryption key. Arguments must be specified in naming notation. The information you pass in the argument depends on the key management system you use.

This function can only be executed by superuser. Also, you cannot execute this function within a transaction block.

This function is available if you have installed the extension 'tde_kms'.

Using a key management system of type KMIP

The following arguments are specified in naming notation:

  • kms_name text

    Specify the key management system name specified in the key management system connection information file. Required.

  • key_id text

    Specify the key ID assigned to the encryption key in the KMIP server. Required.

  • sslpassphrase text

    Specify the passphrase of the client certificate private key file when connecting to the KMIP server. This can be omitted if the private key file does not have a passphrase.

Example

SELECT pgx_declare_external_master_key( kms_name => 'mykmipsvr', key_id => 'a0eebc99-9c0b-0000-0000-000000000000', sslpassphrase => 'mykmippassphrase' );