To create encrypted tablespaces and access the encrypted data, you must first open the keystore. When you open the keystore, the master encryption key is loaded into the database server memory and becomes usable for encryption and decryption.
You need to open the keystore each time you start the instance. To open the keystore, the database superuser must execute the following SQL function.
SELECT pgx_open_keystore('passphrase');The value "passphrase" is the passphrase specified during creation of the keystore.
Refer to "B.2 Transparent Data Encryption Control Functions" for information on the pgx_open_keystore function.
Note that, in the following cases, the passphrase must be entered when starting the instance, because the encrypted WAL must be decrypted for recovery. In this case, the above-mentioned pgx_open_keystore function cannot be executed.
If performing crash recovery at the time of starting the instance
If performing recovery using continuous archiving
For the above cases, specify the --keystore-passphrase option in the pg_ctl command, and then start the instance. This will display the prompt for the passphrase to be entered, as shown below.
> pg_ctl --keystore-passphrase start Enter the passphrase: The server is starting >
Point
When using an automatically opening keystore, you do not need to enter the passphrase and you can automatically open the keystore when the database server starts. Refer to "5.6.3 Enabling Automatic Opening of the Keystore" for details.