I want to taste pg_tde and need help configuring the global and masterkeys. I will later immplement a proper key management later
Hi @Johnathan,
For testing purposes, you can use a keyring.
Thank you very much.
Do we need different encryption keys for Wal files and different keys for databases ?
Hi Johna,
For testing, you don’t need to manually create separate encryption keys for each WAL file or each database.
For WAL encryption, you can either use the server’s default principal key, or configure a dedicated server/principal key specifically for WAL. If WAL encryption is enabled, it applies globally to WAL writes for the PostgreSQL cluster, not per database.
So for initial testing with keyring, a simple setup is:
-
configure the global key provider
-
create/set a default principal key
-
optionally enable WAL encryption
Later, when you implement proper KMS/key management, you can move to a production-grade key provider and define whether you need separate keys per database or a dedicated WAL key based on your security requirements.
You can follow the document: 4. Configure WAL encryption - Percona Transparent Data Encryption for PostgreSQL