Refer to "5.1 Protecting Data Using Encryption". The following describes the differences from the transparent data encryption operation in the file-based keystore described in "5.1 Protecting Data Using Encryption".
Each tablespace has a tablespace encryption key that encrypts/decrypts all data in it. Tablespace encryption keys are stored encrypted with the master encryption key.
Use an encryption key stored in a key management system as a common master encryption key for your database cluster. Fujitsu Enterprise Postgres refers to the key management system as a keystore for master encryption keys.
Two types of key management systems are available:
kmip
It is a key management system that can be used using a protocol called KMIP (Key Management Interoperability Protocol) standardized by OASIS (Organization for the Advancement of Structured Information Standards).
custom
It is a key management system that cooperates using an adapter that converts the request format without adopting the KMIP protocol.
See
Refer to "Key Management System Requirements" in the Installation and Setup Guide for Server for the key management system requirements that can be used with Fujitsu Enterprise Postgres.
When using an adapter to link with a key management system, encryption and decryption of the tablespace encryption key using the master encryption key are performed on the key management system side.
Tablespace encryption keys can be shared within a database cluster so that you do not need to access the key management system each time you want to use the tablespace encryption key.
The cost of encryption/decryption using the master encryption key becomes an issue in the following cases:
Multiple connections to the database access encrypted tablespaces
Connections accessing encrypted tablespaces are repeated and connection pooling is disabled
Key IDs are used as identifiers to identify encryption keys stored on the key management system.
Information that identifies the encryption key on the key management system, and is unique within the key management system. The correspondence between the encryption key substance (byte string) and the key ID does not change throughout the life cycle of the encryption key.
The name of the identifier differs depending on each key management system, but in this feature, such information is called the key ID.
After starting operation of the transparent data encryption function, the key management system to be used can be changed to another key management system.
