To use transparent data encryption, you must create a keystore and set the master encryption key.
In the keystore_location parameter of postgresql.conf, specify the directory to store the keystore.
Specify a different location for each database cluster.
keystore_location = '/key/store/location'
Refer to "Appendix A Parameters" for information on postgresql.conf.
Execute an SQL function, such as the one below, to set the master encryption key. This must be performed by the superuser. Execute it as the database superuser.
SELECT pgx_set_master_key('passphrase');The value "passphrase" is the passphrase that will be used to open the keystore. The master encryption key is protected by this passphrase, so avoid specifying a short simple string that is easy to guess.
Refer to "B.2 Transparent Data Encryption Control Functions" for information on the pgx_set_master_key function.
Use the pg_ctl command to restart an instance.
Specify the following in the pg_ctl command:
Specify "restart" as the mode.
Specify the data storage directory in the -D option. If the -D option is omitted, the value of the PGDATA environment variable is used by default.
It is recommended to specify the -w option. This means that the command returns after waiting for the instance to start. If the -w is not specified, it may not be possible to determine if the starting of the instance completed successfully or if it failed.
Example
> pg_ctl restart -w -D /database/inst1
Note
Note that if you forget the passphrase, you will not be able to access the encrypted data. There is no method to retrieve a forgotten passphrase and decrypt data. Do not, under any circumstances, forget the passphrase.
The SQL function creates a file with the name keystore.ks in the keystore storage destination. It also creates a master encryption key from random bit strings, encrypts it with the specified passphrase, and stores it in keystore.ks. At this point, the keystore is open.