Back up the keystore and the entire opencryptoki token directory of the slot allocated to Fujitsu Enterprise Postgres at the following times in case they are corrupted or lost.
When the master encryption key is first configured
When the master encryption key is changed
When the database is backed up
When the HSM master key is changed
When a user pin is changed
Point
Do not overwrite an old keystore when backing up a keystore. This is because during database recovery, you must restore the keystore to its state at the time of database backup. When the backup data of the database is no longer required, delete the corresponding keystore.
Example
Back up the database and the keystore on May 1, 2020.
> pgx_dmpall -D /database/inst1 > cp -p /key/store/location/keystore.ks /keybackup/keystore_20200501.ks > tar -cf token_directory_fep_20200501.tar /var/lib/opencryptoki/fep
Specify the following in the pgx_dmpall command:
Specify the data storage destination in the -D option. If the -D option is omitted, the value of the PGDATA environment variable is used by default.
Change the master encryption key, and back up the keystore on May 5, 2020.
> psql -c "SELECT pgx_set_master_key('user pin')" postgres
> cp -p /key/store/location/keystore.ks /keybackup/keystore_20200505.ks
> tar -cf token_directory_fep_20200505.tar /var/lib/opencryptoki/fepSpecify the following in the psql command:
Specify the SQL function that sets the master encryption key in the -c option.
Specify the name of the database to be connected to as the argument.
If the keystore is corrupted or lost, restore the keystore (containing the latest master encryption key) and the entire opencryptoki token directory of the slot allocated to Fujitsu Enterprise Postgres. If there is no keystore containing the latest master encryption key, restore the keystore and the entire opencryptoki token directory of the slot assigned to Fujitsu Enterprise Postgres to their state at the time of database backup, and recover the database from the database backup. This action recovers the keystore to its latest state.
Example
Restore the keystore containing the latest master encryption key as of May 5, 2020.
> cp -p /keybackup/keystore_20200505.ks /key/store/location/keystore.ks > tar -xf token_directory_fep_20200505.tar
If there is no backup of the keystore containing the latest master encryption key, recover the keystore by restoring the keystore that was backed up along with the database on 1 May 2020.
> cp -p /keybackup/keystore_20200501.ks /key/store/location/keystore.ks > tar -xf token_directory_fep_20200501.tar > pgx_rcvall -B /backup/inst1 -D /database/inst1 --user-pin
Specify the following in the pgx_rcvall command:
Specify the data storage directory in the -D option. If the -D option is omitted, the value of the PGDATA environment variable is used by default.
Specify the backup data storage directory in the -B option.
The --user-pin option prompts you to enter the user pin to open the keystore.
See
Refer to "pgx_rcvall" and "pgx_dmpall" in the Reference for information on the pgx_rcvall and pgx_dmpall commands.
Refer to "psql" under "Reference" in the PostgreSQL Documentation for information on the psql command.
Refer to "B.2 Transparent Data Encryption Control Functions" for information on the pgx_set_master_key function.
Refer to "5.7.4 Enabling Automatic Opening of the Keystore" for information on how to enable automatic opening of the keystore.