pg_keytool — derive cluster encryption key and/or send it to the PostgreSQL server
pg_keytool [option...]
pg_keytool reads a password from standard input, runs the key derivation function (KDF) on it in order to derive the key and finally writes the key to standard output.
The common use case is that pg_keytool is used
with the -K option of initdb or
pg_ctl (see the examples in
Chapter 31) and in
the encryption_key_command configuration variable.
-D directory
Specifies the directory where the database cluster is stored. In
particular, pg_keytool reads
the global/kdf_params file from here (see
kdf_params file), as well
as global/pg_control.
If this option is not passed, pg_keytool
tries to get the data directory from the PGDATA
environment variable.