Skip to content

Default Principal Key configuration

You can configure a default principal key for the server using a global key provider. This key is used by all databases that do not have their own encryption keys configured.

Configuring the default principal key is a multi-step process that uses the following functions:

Add a global key provider

To add a global key provider, see the Key provider management topic.

Create a default principal key

Note

The sample output below is for demonstration purposes only. Be sure to replace the key name and provider with your actual values.

To create a global principal key, run:

SELECT open_pg_tde_create_key_using_global_key_provider(
    'key-name',
    'global_kmip_provider'
);
Sample output
    postgres=# SELECT open_pg_tde_create_key_using_global_key_provider(
        'keytest1',
        'global_kmip_provider'
    );
    open_pg_tde_create_key_using_global_key_provider
    ---------------------------------------------

    (1 row)

Set a default principal key

To set a default principal key, run:

SELECT open_pg_tde_set_default_key_using_global_key_provider(
    'key-name',
    'global_kmip_provider'
);
Sample output
    postgres=# SELECT open_pg_tde_set_default_key_using_global_key_provider(
        'keytest1',
        'global_kmip_provider'
    );
    open_pg_tde_set_default_key_using_global_key_provider 
    --------------------------------------------------

    (1 row)

Parameter description

  • key-name is the name under which the principal key is stored in the provider.
  • global_kmip_provider is the name of the global key provider you previously configured.

Note

If no error is reported, the action completed successfully.

How key generation works

The key material (actual cryptographic key) is auto-generated by open_pg_tde and stored securely by the configured provider.

Note

This process sets the default principal key for the entire server. Any database without a key explicitly configured will fall back to this key.

Next steps

To confirm that encryption is working as expected, follow the validation steps:

Validate Encryption with open_pg_tde