KMIP configuration¶
To use a Key Management Interoperability Protocol (KMIP) server with pg_tde, you must configure it as a global key provider. This setup enables pg_tde to securely fetch and manage encryption keys from a centralized key management appliance.
Important
When using HashiCorp Vault as a KMIP server, this configuration is not a validated deployment model for pg_tde and is not recommended for production use.
For Vault-based key management, use the KV v2 integration instead.
Note
You need the root certificate of the KMIP server and a client key/certificate pair with permissions to create and read keys on the server.
For testing purposes, you can use a lightweight PyKMIP server, which enables easy certificate generation and basic KMIP behavior. If you’re using a production-grade KMIP server, ensure you obtain valid, trusted certificates from the key management appliance.
Example usage¶
SELECT pg_tde_add_global_key_provider_kmip(
'provider-name',
'kmip-IP',
`port`,
'/path_to/server_certificate.pem',
'/path_to/client_cert.pem',
'/path_to/client_key.pem'
);
Parameter descriptions¶
provider-nameis the name of the provider. You can specify any name, it’s for you to identify the providerkmip-IPis the IP address of a domain name of the KMIP serverportis the port to communicate with the KMIP server. Typically used port is 5696server-certificateis the path to the certificate file for the KMIP serverclient_certis the path to the client certificate.client_keyis the path to the client key.
The following example is for testing purposes only.
SELECT pg_tde_add_global_key_provider_kmip(
'kmip','127.0.0.1',
5696,
'/tmp/server_certificate.pem',
'/tmp/client_cert_jane_doe.pem',
'/tmp/client_key_jane_doe.pem'
);
For more information on related functions, see the link below:
Percona pg_tde Function Reference