To create encrypted tablespaces and access the encrypted data, you must first open the keystore. When you open the keystore, the master encryption key in the token becomes accessible and becomes usable for encryption and decryption.
You need to open the keystore each time you start the instance. To open the keystore, the database superuser must execute the following SQL function.
SELECT pgx_open_keystore('user pin');user pin is the user pin configured in "5.2 Preparing for HSM Collaboration".
Refer to "B.2 Transparent Data Encryption Control Functions" for information on the pgx_open_keystore function.
Note that, in the following cases, the user pin must be entered when starting the instance, because the encrypted WAL must be decrypted for recovery. In this case, the above-mentioned pgx_open_keystore function cannot be executed.
If performing crash recovery at the time of starting the instance
If performing recovery using continuous archiving
For the above cases, specify the --user-pin option in the pg_ctl command, and then start the instance. This will display the prompt for the user-pin to be entered, as shown below.
> pg_ctl --user-pin start Enter User PIN: The server is starting >
Point
When using an automatically opening keystore, you do not need to enter the user pin and you can automatically open the keystore when the database server starts. Refer to "5.7.4 Enabling Automatic Opening of the Keystore" for details.