PG-1244 Added a limitation about KMS configuration update (#373)

* PG-1244 Added a limitation about KMS configuration update
percona · Dec 26, 2024 · ba8c576 · ba8c576
1 parent 6923256
commit ba8c576
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/documentation/docs/index.md b/documentation/docs/index.md
@@ -26,8 +26,13 @@ Lear more [what is Transparent Data Encryption](tde.md#how-does-it-work) and [wh
 
 * Keys in the local keyfile are stored unencrypted. For better security we recommend using the Key management storage. 
 * System tables are currently not encrypted.
+* Currently you cannot update the configuration of an existing Key Management Store (KMS). If its configuration changes (e.g. your Vault server has a new URL), you must set up a new key provider in `pg_tde` and create new keys there. Both the KMS and PostgreSQL servers must be up and running during these changes. [Reach out to our experts](https://www.percona.com/about/contact) for assistance and to outline the best update path for you.
+
+   We plan to introduce the way to update the configuration of an existing KMS in future releases. 
+
 * `pg_rewind` doesn't work with encrypted WAL for now. We plan to fix it in future releases.
 
+
 <i warning>:material-alert: Warning:</i> Note that introducing encryption/decryption affects performance. Our benchmark tests show less than 10% performance overhead for most situations. However, in some specific applications such as those using JSONB operations, performance degradation might be higher.
 
 ## Versions and supported PostgreSQL deployments