Error using KMIP key provider

fborden · March 24, 2025, 3:48pm

Hello all,

I am trying to setup PG_TDE with KMIP. For this I ran this query:

SELECT pg_tde_add_key_provider_kmip(‘kmip’, ‘10.0.0.59’, 5696, ‘/home/postgres/okvssl/CA.pem’, ‘/home/postgres/okvssl/priv.pem’);

This returns one row and also I see that in
$ strings pg_tde_16481_keyring
kmip
{“type” : “kmip”, “host” : “10.0.0.59”, “port” : 5696, “caPath” : “/home/postgres/okvssl/CA.pem”, “certPath” : “/home/postgres/okvssl/priv.pem”}

Next when I try to set the key I get an error:

dvdrental=# SELECT pg_tde_set_principal_key(‘postgresKey’,‘kmip’);
ERROR: KMIP server reported error on register symmetric key: -1

How can I debug what caused this error -1

Shahid_Ullah · March 25, 2025, 5:54pm

Hello!
Currently pg_tde have following limitation that it accepts combine client key & client certificate. See the following note.

pg_tde_add_key_provider_kmip currently accepts only a combined client key + client certificate for the last parameter of this function named as `client key`

KMIP server and client machine should have same set of certificates
Also make sure that certificates are not expired and having proper permissions.

Topic		Replies	Views
Creating master key with pg_tde and vault PG_TDE – Transparent Data Encryption (TDE)	2	373	May 29, 2024
Pg_tde extension in kubernetes with postgres operator Percona Operator for PostgreSQL	6	75	March 21, 2025
Help with TDE setup in Percona MySQL 8 pxc cluster Percona XtraDB Cluster 8.x	3	45	August 7, 2024
Enabling encryption for whole database? PG_TDE – Transparent Data Encryption (TDE)	1	448	February 28, 2024
How to change token of harshicop vault PG_TDE – Transparent Data Encryption (TDE)	8	105	October 25, 2024

Error using KMIP key provider

Related topics