To create encrypted tablespaces and access the encrypted data, you must first open the keystore. When you open the keystore, the master encryption key is loaded into the database server memory and becomes usable for encryption and decryption.
You need to open the keystore each time you start the instance. To open the keystore, the database superuser must execute the following SQL function.
SELECT pgx_open_keystore('passphrase');The value "passphrase" is the passphrase specified during creation of the keystore.
Refer to "B.2 Transparent Data Encryption Control Functions" for information on the pgx_open_keystore function.
Note that, in the following cases, the passphrase must be entered when starting the instance, because the encrypted WAL must be decrypted for recovery. In this case, the above-mentioned pgx_open_keystore function cannot be executed.
If performing crash recovery at the time of starting the instance
If performing recovery using continuous archiving
For the above cases, select one of the following methods:
Use an automatically opening keystore
Select this method if ease of operation has priority over enhanced security. When using an automatically opening keystore, the content of the keystore file is decrypted and a copy of the keystore file is generated. Although the content of this file is obfuscated, the level of security becomes slightly weaker.
Select this method if performing operations using WebAdmin.
Enter a passphrase when starting an instance
Select this method if enhanced security has priority over ease of operation.
Specify the --keystore-passphrase in the pg_ctl command and start the instance. This displays the prompt that asks for the passphrase to be entered.
> pg_ctl --keystore-passphrase start Enter the passphrase: The server is currently initiating >
After performing the above operation, use the pg_ctl command to stop the instance.
Then start the instance in Windows services. Refer to "2.1.2 Using Commands" for information on how to start an instance in Windows services.
Point
When using an automatically opening keystore, you do not need to enter the passphrase and you can automatically open the keystore when the database server starts. Refer to "5.6.3 Enabling Automatic Opening of the Keystore" for details.