To use transparent data encryption, you must create a keystore and set the master encryption key.

1. In the keystore_location parameter of postgresql.conf, specify the directory to store the keystore.

   Specify a different location for each database cluster. Specify a different directory from those below as the keystore storage destination:

   • Data storage destination

   • Tablespace storage destination

   • Transaction log storage destination

   • Backup data storage destination

   keystore_location = '/key/store/location'

   Refer to "Appendix A Parameters" for information on postgresql.conf.

   After editing the postgresql.conf file, either start or restart the instance.

   • Using WebAdmin

     Refer to "2.1.1 Using WebAdmin", and restart the instance.

   • Using the pg_ctl command

     Specify the following in the pg_ctl command:

     • Specify "restart" as the mode.

     • Specify the data storage destination directory in the -D option. If the -D option is omitted, the value of the PGDATA environment variable is used by default.

     • Specify the -w option. This means that the command returns after waiting for the instance to start. If the -w option is not specified, it may not be possible to determine if the starting of the instance completed successfully or if it failed.

     Example

     > pg_ctl restart -w -D /database/inst1

2. Execute an SQL function, such as the one below, to set the master encryption key. This must be performed by the superuser. Execute it as the database superuser.

   SELECT pgx_set_master_key('passphrase');

   The value "passphrase" is the passphrase that will be used to open the keystore. The master encryption key is protected by this passphrase, so avoid specifying a short simple string that is easy to guess.

   Refer to "B.2 Transparent Data Encryption Control Functions" for information on the pgx_set_master_key function.