Hi in pg_tde, is it possible to set up eviction so keys are evicted from memory after a certain amount of time (or maybe inactivity or no connections) and required to be reloaded to use that db again? Or even not cache keys at all and every query requires the key be sent.
My use case is I need a different db with a different key per tenant, but if a tenant revokes their key from the application, the db for that tenant should be unusable. The problem is the db remains ‘unlocked’ until restart, so tenant data is still accessible, even if they revoke their key in my application.
Additionally, is it possible to not use a kms vault or a local file, and instead unlock db’s using an sql admin function over a db connection? Or even a key in the connection string? I figure I can revoke the key from the vault in my application, but it would be a little easier if I could just unlock db’s from my application directly with the key, so I don’t need to use a vault at all (I get each tenants key from another service).
Thanks.