postgres/contrib/pg_tde/documentation/docs/global-key-provider-configu.../set-principal-key.md

# Global Principal Key configuration

You can configure a default principal key using a global key provider. This key is used by all databases that do not have their own encryption keys configured.

There are two main functions for this:

- [pg_tde_create_key_using_global_key_provider()](../functions.md#pg_tde_create_key_using_global_key_provider) creates a principal key at a global key provider
- [pg_tde_set_default_key_using_global_key_provider()](../functions.md#pg_tde_set_default_key_using_global_key_provider) sets the default principal key and rotates the internal encryption key if one is already configured

## Create a default principal key

!!! note

    The sample output below is for demonstration purposes only. Be sure to replace the key name and provider with your actual values.

To create a global principal key, run:

```sql
SELECT pg_tde_create_key_using_global_key_provider(
    'key-name',
    'global_vault_provider'
);
```

??? example "Sample output"
    ```sql
        postgres=# SELECT pg_tde_create_key_using_global_key_provider(
            'keytest1',
            'file-keyring'
        );
        pg_tde_create_key_using_global_key_provider
        ---------------------------------------------

        (1 row)
    ```

## Configure a default principal key

To configure a global principal key, run:

```sql
SELECT pg_tde_set_default_key_using_global_key_provider(
    'key-name',
    'global_vault_provider'
);
```

??? example "Sample output"
    ```sql
        postgres=# SELECT pg_tde_set_default_key_using_global_key_provider(
            'keytest1',
            'file-keyring'
        );
        pg_tde_set_default_key_using_global_key_provider 
        --------------------------------------------------

        (1 row)
    ```

## Parameter description

* `key-name` is the name under which the principal key is stored in the provider.
* `global_vault_provider` is the name of the global key provider you previously configured.

!!! note

    If no error is reported, the action completed successfully.

## How key generation works

The key material (actual cryptographic key) is auto-generated by `pg_tde` and stored securely by the configured provider.

!!! note

    This process sets the **default principal key for the entire server**. Any database without a key explicitly configured will fall back to this key.

## Next steps

To confirm that encryption is working as expected, follow the validation steps:

[Validate Encryption with pg_tde :material-arrow-right:](../test.md){.md-button}
Reorganize toc / overview chapter / update topic headings (#468) Reorganized how the ToC website interaction is done by renaming index.md from CLI, architecture, advanced topics, KMS and Overview (index folder). This meant updating links in multiple other files as index files needed to be renamed for the structure to work. Reorganized how Overview is displayed, removed RC2 mention in Limitations, removed important note as it is no longer needed since it was an RC2 mention. Reworded the button texts for better interaction and user expectation in the Overview chapter topics. Added a short intro for Benefits of pg_tde topic, rewrote admonition. Updated KMS titles to reflect Percona Style Guide. 2 months ago			`# Global Principal Key configuration`
Tde documentation updates for ga (#251) Modified the structure and overall presentation for the users to make it more accessible and future-proof as we improve pg_tde moving forward. Split big chapters into smaller chunks to improve SEO, renamed a couple of files for better visibility online and cleaned a bit of text. Integrated changes from: - https://github.com/percona/postgres/pull/314 - https://github.com/percona/postgres/pull/306 - Commit f636e82 4 months ago
Add WAL content for 2.0 release (#499) - remove (tech preview) - remove mentions of WAL being BETA and warning notes - add WAL tool support to limitations, improve flow, add button to setup - add limitation regarding WAL shipping standy not supported with WAL encryption - add mention of open source and enterprise ed being supported for pg_tde - add none method to basebackup and link to topic - add Example Patroni configuration for Patroni tool - improve supported vs unsupported tools section in Limitations 3 weeks ago			`You can configure a default principal key using a global key provider. This key is used by all databases that do not have their own encryption keys configured.`

			`There are two main functions for this:`

			`- [pg_tde_create_key_using_global_key_provider()](../functions.md#pg_tde_create_key_using_global_key_provider) creates a principal key at a global key provider`
			`- [pg_tde_set_default_key_using_global_key_provider()](../functions.md#pg_tde_set_default_key_using_global_key_provider) sets the default principal key and rotates the internal encryption key if one is already configured`
Tde documentation updates for ga (#251) Modified the structure and overall presentation for the users to make it more accessible and future-proof as we improve pg_tde moving forward. Split big chapters into smaller chunks to improve SEO, renamed a couple of files for better visibility online and cleaned a bit of text. Integrated changes from: - https://github.com/percona/postgres/pull/314 - https://github.com/percona/postgres/pull/306 - Commit f636e82 4 months ago
			`## Create a default principal key`

PG-1656 Add sample outputs for Global Principal Key Configuration commands (#474) 2 months ago			`!!! note`
Add WAL content for 2.0 release (#499) - remove (tech preview) - remove mentions of WAL being BETA and warning notes - add WAL tool support to limitations, improve flow, add button to setup - add limitation regarding WAL shipping standy not supported with WAL encryption - add mention of open source and enterprise ed being supported for pg_tde - add none method to basebackup and link to topic - add Example Patroni configuration for Patroni tool - improve supported vs unsupported tools section in Limitations 3 weeks ago
PG-1656 Add sample outputs for Global Principal Key Configuration commands (#474) 2 months ago			`The sample output below is for demonstration purposes only. Be sure to replace the key name and provider with your actual values.`

Re-apply set key changes: revert of revert commit (#461) reverted the revert for set key changes for architecture, functions, set principal key and multi-tenant-setup.md 2 months ago			`To create a global principal key, run:`

			```sql
			`SELECT pg_tde_create_key_using_global_key_provider(`
			`'key-name',`
			`'global_vault_provider'`
			`);`
			```

PG-1656 Add sample outputs for Global Principal Key Configuration commands (#474) 2 months ago			`??? example "Sample output"`
			```sql
			`postgres=# SELECT pg_tde_create_key_using_global_key_provider(`
			`'keytest1',`
			`'file-keyring'`
			`);`
			`pg_tde_create_key_using_global_key_provider`
			`---------------------------------------------`

			`(1 row)`
			```

Re-apply set key changes: revert of revert commit (#461) reverted the revert for set key changes for architecture, functions, set principal key and multi-tenant-setup.md 2 months ago			`## Configure a default principal key`

Updating pg_tde_set_default_key_using_global_key_provider parameter (#351) Updates to # Global Principal Key Configuration parameter of setting global key Rewrote and added correct falste/true parameters for ensure_new_key on set_default_key. --------- Co-authored-by: Anastasia Alexandrova <anastasia.alexandrova@percona.com> 4 months ago			`To configure a global principal key, run:`
Tde documentation updates for ga (#251) Modified the structure and overall presentation for the users to make it more accessible and future-proof as we improve pg_tde moving forward. Split big chapters into smaller chunks to improve SEO, renamed a couple of files for better visibility online and cleaned a bit of text. Integrated changes from: - https://github.com/percona/postgres/pull/314 - https://github.com/percona/postgres/pull/306 - Commit f636e82 4 months ago
			```sql
DOCS-KMIP-updates (#337) initial commit, fixes to code presentation - Updates to kmip with fixes to how we present code (website looks better now!) - Updates set-principal-key with similar fixes - Updated keyring.md with similar fixes And updated functions for two parameters with updates from 1506 4 months ago			`SELECT pg_tde_set_default_key_using_global_key_provider(`
Updating pg_tde_set_default_key_using_global_key_provider parameter (#351) Updates to # Global Principal Key Configuration parameter of setting global key Rewrote and added correct falste/true parameters for ensure_new_key on set_default_key. --------- Co-authored-by: Anastasia Alexandrova <anastasia.alexandrova@percona.com> 4 months ago			`'key-name',`
Re-apply set key changes: revert of revert commit (#461) reverted the revert for set key changes for architecture, functions, set principal key and multi-tenant-setup.md 2 months ago			`'global_vault_provider'`
DOCS-KMIP-updates (#337) initial commit, fixes to code presentation - Updates to kmip with fixes to how we present code (website looks better now!) - Updates set-principal-key with similar fixes - Updated keyring.md with similar fixes And updated functions for two parameters with updates from 1506 4 months ago			`);`
Tde documentation updates for ga (#251) Modified the structure and overall presentation for the users to make it more accessible and future-proof as we improve pg_tde moving forward. Split big chapters into smaller chunks to improve SEO, renamed a couple of files for better visibility online and cleaned a bit of text. Integrated changes from: - https://github.com/percona/postgres/pull/314 - https://github.com/percona/postgres/pull/306 - Commit f636e82 4 months ago			```

PG-1656 Add sample outputs for Global Principal Key Configuration commands (#474) 2 months ago			`??? example "Sample output"`
			```sql
			`postgres=# SELECT pg_tde_set_default_key_using_global_key_provider(`
			`'keytest1',`
			`'file-keyring'`
			`);`
			`pg_tde_set_default_key_using_global_key_provider`
			`--------------------------------------------------`

			`(1 row)`
			```

Tde documentation updates for ga (#251) Modified the structure and overall presentation for the users to make it more accessible and future-proof as we improve pg_tde moving forward. Split big chapters into smaller chunks to improve SEO, renamed a couple of files for better visibility online and cleaned a bit of text. Integrated changes from: - https://github.com/percona/postgres/pull/314 - https://github.com/percona/postgres/pull/306 - Commit f636e82 4 months ago			`## Parameter description`

Updating pg_tde_set_default_key_using_global_key_provider parameter (#351) Updates to # Global Principal Key Configuration parameter of setting global key Rewrote and added correct falste/true parameters for ensure_new_key on set_default_key. --------- Co-authored-by: Anastasia Alexandrova <anastasia.alexandrova@percona.com> 4 months ago			* `key-name` is the name under which the principal key is stored in the provider.
			* `global_vault_provider` is the name of the global key provider you previously configured.

PG-1656 Add sample outputs for Global Principal Key Configuration commands (#474) 2 months ago			`!!! note`
Add WAL content for 2.0 release (#499) - remove (tech preview) - remove mentions of WAL being BETA and warning notes - add WAL tool support to limitations, improve flow, add button to setup - add limitation regarding WAL shipping standy not supported with WAL encryption - add mention of open source and enterprise ed being supported for pg_tde - add none method to basebackup and link to topic - add Example Patroni configuration for Patroni tool - improve supported vs unsupported tools section in Limitations 3 weeks ago
PG-1656 Add sample outputs for Global Principal Key Configuration commands (#474) 2 months ago			`If no error is reported, the action completed successfully.`

Updating pg_tde_set_default_key_using_global_key_provider parameter (#351) Updates to # Global Principal Key Configuration parameter of setting global key Rewrote and added correct falste/true parameters for ensure_new_key on set_default_key. --------- Co-authored-by: Anastasia Alexandrova <anastasia.alexandrova@percona.com> 4 months ago			`## How key generation works`

Re-apply set key changes: revert of revert commit (#461) reverted the revert for set key changes for architecture, functions, set principal key and multi-tenant-setup.md 2 months ago			The key material (actual cryptographic key) is auto-generated by `pg_tde` and stored securely by the configured provider.
Updating pg_tde_set_default_key_using_global_key_provider parameter (#351) Updates to # Global Principal Key Configuration parameter of setting global key Rewrote and added correct falste/true parameters for ensure_new_key on set_default_key. --------- Co-authored-by: Anastasia Alexandrova <anastasia.alexandrova@percona.com> 4 months ago
			`!!! note`
Add WAL content for 2.0 release (#499) - remove (tech preview) - remove mentions of WAL being BETA and warning notes - add WAL tool support to limitations, improve flow, add button to setup - add limitation regarding WAL shipping standy not supported with WAL encryption - add mention of open source and enterprise ed being supported for pg_tde - add none method to basebackup and link to topic - add Example Patroni configuration for Patroni tool - improve supported vs unsupported tools section in Limitations 3 weeks ago
Updated principal-key/features/functions.md based on AA feedback (#441) In set-principal-key.md: * updated with correct code example using set_server_key_using_global parameter * updated note to reflect correct config In features.md: * Removed temporary tables feature to clear confusion, removed logical replication mention, removed WAL encryption as a feature. In functions.md: * Added ON FUNCTION for grant/revoke execution * Modified sensitive info bolded paragraph to important note * Small modifications to notes display, title cases and text fixes * added note to Add or modify Vault providers for keeping the same principal key. * Added warning for WAL in pg_tde_create_key_using_global_key_provider In general: * Removed all logical replication mentions except the FAQ and in RC2 release note. 3 months ago			`This process sets the default principal key for the entire server. Any database without a key explicitly configured will fall back to this key.`
Updating pg_tde_set_default_key_using_global_key_provider parameter (#351) Updates to # Global Principal Key Configuration parameter of setting global key Rewrote and added correct falste/true parameters for ensure_new_key on set_default_key. --------- Co-authored-by: Anastasia Alexandrova <anastasia.alexandrova@percona.com> 4 months ago
Tde documentation updates for ga (#251) Modified the structure and overall presentation for the users to make it more accessible and future-proof as we improve pg_tde moving forward. Split big chapters into smaller chunks to improve SEO, renamed a couple of files for better visibility online and cleaned a bit of text. Integrated changes from: - https://github.com/percona/postgres/pull/314 - https://github.com/percona/postgres/pull/306 - Commit f636e82 4 months ago			`## Next steps`

Add WAL content for 2.0 release (#499) - remove (tech preview) - remove mentions of WAL being BETA and warning notes - add WAL tool support to limitations, improve flow, add button to setup - add limitation regarding WAL shipping standy not supported with WAL encryption - add mention of open source and enterprise ed being supported for pg_tde - add none method to basebackup and link to topic - add Example Patroni configuration for Patroni tool - improve supported vs unsupported tools section in Limitations 3 weeks ago			`To confirm that encryption is working as expected, follow the validation steps:`

Tde documentation updates for ga (#251) Modified the structure and overall presentation for the users to make it more accessible and future-proof as we improve pg_tde moving forward. Split big chapters into smaller chunks to improve SEO, renamed a couple of files for better visibility online and cleaned a bit of text. Integrated changes from: - https://github.com/percona/postgres/pull/314 - https://github.com/percona/postgres/pull/306 - Commit f636e82 4 months ago			`[Validate Encryption with pg_tde :material-arrow-right:](../test.md){.md-button}`