Top
Enterprise Postgres 17 SP1 Operation Guide
Chapter 5 Protecting Storage Data Using Transparent Data Encryption > 5.3 Setting the Master Encryption Key
PreviousNext

5.3 Setting the Master Encryption Key

To use transparent data encryption, you must create a keystore and set the master encryption key.

  1. Set postgresql.conf parameters.

    Set the keystore_location parameter to the directory where you want to store the keystore.

    Specify a different location for each database cluster.

    The shared_preload_libraries parameter also sets the extension to be enabled.

    The tde_z.SLOT_ID parameter specifies the slot ID that was set in "5.2 Preparing for HSM Collaboration".

    keystore_location = '/key/store/location'
shared_preload_libraries = 'tde_z'
tde_z.SLOT_ID = 5

    When the token model "CCA" is used, it is necessary to take care of multi-coprocessor and multi-domain selection. Specify the postgresql.conf parameter for CCA configuration so that Fujitsu Enterprise Postgres can use the specific coprocessor and domain.

    • tde_z.IBM_CCA_CSU_DEFAULT_ADAPTER: this parameter enables to change a default CCA coprocessor.

    • tde_z.IBM_CCA_CSU_DEFAULT_DOMAIN: this parameter enables to select a single domain.

    The values of these parameters are taken over to CCA service via CCA environment variable CSU_DEFAULT_ADAPTER or CSU_DEFAULT_DOMAIN.

    tde_z.IBM_CCA_CSU_DEFAULT_ADAPTER = 'CRP01'
tde_z.IBM_CCA_CSU_DEFAULT_DOMAIN = '3'

    Refer to "Appendix A Parameters" for information on postgresql.conf.

    Refer to IBM documentaion for CCA environment variable CSU_DEFAULT_ADAPTER, CSU_DEFAULT_DOMAIN, the multi-coprocessor selection capabilities and domain selection capabilities.

    After editing the postgresql.conf file, either start or restart the instance.

    • Using WebAdmin

      Refer to "2.1.1 Using WebAdmin", and restart the instance.

    • Using the pg_ctl command

      Specify the following in the pg_ctl command:

      • Specify "restart" as the mode.

      • Specify the data storage destination directory in the -D option. If the -D option is omitted, the value of the PGDATA environment variable is used by default.

      • Specify the -w option. This means that the command returns after waiting for the instance to start. If the -w option is not specified, it may not be possible to determine if the starting of the instance completed successfully or if it failed.

      Example
      > pg_ctl restart -w -D /database/inst1

  2. Execute an SQL function, such as the one below, to set the master encryption key. This must be performed by the database superuser.

    SELECT pgx_set_master_key('user pin');

    The argument should be the user pin set in "5.2 Preparing for HSM Collaboration".

PreviousNext
Copyright 2019-2025 Fujitsu Limited