Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Create a key provider and set (add) a principal key #386

New issue
New issue
Closed
Closed
Create a key provider and set (add) a principal key#386
Assignees
dutowAndriciucdAdAbird
Labels
bugSomething isn't workingdocumentationImprovements or additions to documentation
@Robinyo

Description

@Robinyo
Robinyo
opened on Jun 2, 2025

Description

In the pg_tde README.md - 4 Create a key provider:

-- For File key provider
-- pg_tde_add_database_key_provider_file(provider_name, file_path);
SELECT pg_tde_add_database_key_provider_file('file','/tmp/pgkeyring');

In the Percona Distribution docs - 4 Configure a key provider:

SELECT pg_tde_add_key_provider_file('file-keyring','/tmp/pg_tde_test_local_keyring.per');

pg_tde_add_database_key_provider_file vs pg_tde_add_key_provider_file

In the pg_tde README.md - 5 Set the principal key:

-- pg_tde_set_key_using_database_key_provider(key_name, provider_name);
SELECT pg_tde_set_key_using_database_key_provider('my-key','file');

In the Percona Distribution docs - 5 Add a principal key:

SELECT pg_tde_set_principal_key('test-db-master-key','file-keyring');

pg_tde_set_key_using_database_key_provider vs pg_tde_set_principal_key

Are these all the steps?
Are there other configuration requirements?
Could you include an example keyring file?

When I searched for 'percona postgres keyring file example'

AI Overview

A keyring file in Percona's pg_tde (Transparent Data Encryption) extension for PostgreSQL is a local file that stores master keys for encrypting data. It's primarily used for testing and development due to the inherent security risks of storing keys unencrypted in a file.

Keyring File Content
A keyring file typically contains the master key used to encrypt the database data. It's a plain text file, which is why it's not recommended for production use. The content of the file will depend on the encryption method used and the specific key format.

  1. Create a keyring file:
    This file should be located in a secure directory, such as /etc/postgresql/16/main or a similarly protected location.

  2. Add a configuration to postgresql.conf:
    You need to tell pg_tde where to find the keyring file. This is done by adding a line similar to:

pg_tde.keyring_file = '/path/to/your/keyring/file.per'

Example of a Keyring File
The following is a simplified example. Do not use this directly in production as it's not a secure keyring. In reality, the key would be a much longer and more complex sequence.

# Example keyring file (NOT for production)
# This is just a placeholder.  A real keyring would contain a secure key.
uzVUu9BdSpOXqPeMaGoTYuTHazRXWoUCajyLUfWlnv8=

I also found this (old) blog post: Percona pg_tde Project Keyring Options.

Expected Results

Matching documentation with examples :)

Actual Results

Documentation is different and lacks clear examples

Version

Percona Distribution for PostgreSQL 17 (LATEST)

Steps to reproduce

No response

Relevant logs



Code of Conduct


    

  •  I agree to follow Percona Community Code of Conduct
    • 

Metadata
Metadata
Assignees
Labels
bugSomething isn't workingdocumentationImprovements or additions to documentation
Type
No type
Projects
No projects
Milestone
No milestone
Relationships
None yet
Development
No branches or pull requests
Issue actions