From fe513b1fd16c89a1f950f4f9f035564d91279078 Mon Sep 17 00:00:00 2001 From: Kai Wagner Date: Wed, 3 Sep 2025 12:09:37 +0200 Subject: [PATCH] Add to FAQ how to rotate internal encryption keys (#573) Adding to the FAQ an answer about "How to rotate the internal keys". This was asked in the forum: https://forums.percona.com/t/how-to-rotate-internal-encryption-keys-in-pg-tde/39261 On top, dropping the duplicated FAQ entry about post-quantum encryption. Signed-off-by: Kai Wagner --- contrib/pg_tde/documentation/docs/faq.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/contrib/pg_tde/documentation/docs/faq.md b/contrib/pg_tde/documentation/docs/faq.md index 9e9c88f181a..643b247e65c 100644 --- a/contrib/pg_tde/documentation/docs/faq.md +++ b/contrib/pg_tde/documentation/docs/faq.md @@ -167,6 +167,8 @@ To restore from an encrypted backup, you must have the same principal encryption Yes. `pg_tde` works with the FIPS-compliant version of OpenSSL, whether it is provided by your operating system or if you use your own OpenSSL libraries. If you use your own libraries, make sure they are FIPS certified. -## Is post-quantum encryption supported? +## How to rotate internal encryption keys in pg_tde? + +We don't have a dedicated function to rotate internal keys, because a key is effectively rotated any time a table's data file is completely rewritten. Operations like `VACUUM FULL`, `TRUNCATE`, or some but not all `ALTER TABLE` commands automatically generate a new internal key. -No. Post-quantum encryption is not currently supported. +If you're concerned about internal keys being leaked, the best way to address it is by vacuuming the database. This operation rewrites the table's data and, in the process, creates a new internal key.