To use transparent data encryption, you must create a keystore and set the master encryption key.
In the keystore_location parameter of postgresql.conf, specify the directory to store the keystore.
Specify a different location for each database cluster.
keystore_location = 'C:\\key\\store\\location'
Refer to "Appendix A Parameters" for information on postgresql.conf.
After editing the postgresql.conf file, either start or restart the instance.
Using WebAdmin
Refer to "2.1.1 Using WebAdmin", and restart the instance.
Using commands
Refer to "2.1.2 Using Commands", and restart the instance.
Execute an SQL function, such as the one below, to set the master encryption key. This must be performed by the superuser. Execute it as the database superuser.
SELECT pgx_set_master_key('passphrase');The value "passphrase" is the passphrase that will be used to open the keystore. The master encryption key is protected by this passphrase, so avoid specifying a short simple string that is easy to guess.
Refer to "B.2 Transparent Data Encryption Control Functions" for information on the pgx_set_master_key function.
Note
Note that if you forget the passphrase, you will not be able to access the encrypted data. There is no method to retrieve a forgotten passphrase and decrypt data. Do not, under any circumstances, forget the passphrase.
The pgx_set_master_key function creates a file with the name keystore.ks in the keystore storage destination. It also creates a master encryption key from random bit strings, encrypts it with the specified passphrase, and stores it in keystore.ks. At this point, the keystore is open.