Key management overview¶
In production environments, storing encryption keys locally on the PostgreSQL server can introduce security risks. To enhance security, open_pg_tde supports integration with external Key Management Systems (KMS) through a Global Key Provider interface.
This section describes how you can configure open_pg_tde to use the local and external key providers.
To use an external KMS with open_pg_tde:
- Configure a Key Provider
- Set the Global Principal Key
Note
While key files may be acceptable for local or testing environments, KMS integration is the recommended approach for production deployments.
Warning
Do not rotate encryption keys while a backup is running. This may result in an inconsistent backup and restore failure. This applies to all backup tools.
Schedule key rotations outside backup windows. After rotating keys, take a new full backup.
For more details, see Limitations of open_pg_tde.
open_pg_tde has been tested with the following key providers:
| KMS Provider | Description | Documentation |
|---|---|---|
| KMIP | Standard Key Management Interoperability Protocol. | Configure KMIP → |
| Fortanix | Fortanix DSM key management. | KMIP-compatible servers → |
| Thales | Thales CipherTrust Manager and DSM. | KMIP-compatible servers → |
| Akeyless | A cloud-based secrets management platform for securely storing and accessing credentials and encryption keys. | KMIP-compatible servers → |
| OpenBao | Apache 2.0 licensed Vault fork using the KV v2 secrets engine. | Configure OpenBao → |
| Keyring file (not recommended) | Local key file for dev/test only. | Configure keyring file → |