To use transparent data encryption, you must create a keystore and set the master encryption key.

1. Load the shared_preload_libraries parameter in postgresql.conf with the library name "tde _ kms"

   shared_preload_libraries = 'tde_kms'

2. When using an adapter, register the adapter as a plug-in. Specify the directory where the plugin is stored in the tde_kms.plugin_path parameter in postgresql.conf. Store your plugins in this directory.

   tde_kms.plugin_path = '/home/fsepuser/plugin/'

3. To share the tablespace encryption key, set the tde_kms.enable_shared_dek parameter in postgresql.conf to "on".

   tde_kms.enable_shared_dek = on

4. Set the tde_kms.kms_conninfo_file parameter in postgresql.conf to a file that contains key management system connection information. Refer to "Appendix A Parameters" for information.

   Example for the key management system connection information file kms_conninfo.conf

   tde_kms.kms_conninfo_file = 'kms_conninfo.conf'

   Example of key management system connection information file

   For type kmip

   kmip   mykmipsvr  mykmipsvr.example.com   5696   cert   sslcert=postgres.crt   sslkey=postgres.key sslrootcert=root.crt

   For type custom

   custom   mykms   mykms  arg=--profile arg=user1

5. Execute a CREATE EXTENSION statement to install the extension.

   CREATE EXTENSION tde_kms;

6. To enable transparent data encryption, call the pgx_declare_external_master_key function to declare the encryption key to use as the master encryption key. Specify a key ID as an identifier to identify the encryption key. Refer to "B.2.3 pgx_declare_external_master_key" for information on the pgx_declare_external_master_key function.

   SELECT pgx_declare_external_master_key( kms_name => 'mykmipsvr', key_id => 'a0eebc99-9c0b-0000-0000-000000000000', sslpassphrase => 'mykmippassphrase' );