From 8f5fe48323fc0bca101fa8dda1d554820fc9da70 Mon Sep 17 00:00:00 2001
From: Andrew Pogrebnoy <absourd.noise@gmail.com>
Date: Fri, 12 Jul 2024 19:56:48 +0300
Subject: [PATCH] Use common keyring and key rotation

---
 pg_tde--1.0.sql                          | 68 ++++++++++++++++++
 src/catalog/tde_global_catalog.c         | 89 +++++++++---------------
 src/catalog/tde_keyring.c                | 86 +++++++++++++++--------
 src/catalog/tde_principal_key.c          | 54 ++++++++++++--
 src/include/catalog/tde_global_catalog.h |  2 +-
 src/include/catalog/tde_keyring.h        | 13 ++--
 src/pg_tde.c                             |  1 -
 7 files changed, 208 insertions(+), 105 deletions(-)

diff --git a/pg_tde--1.0.sql b/pg_tde--1.0.sql
index 25dda909..e96e8ed9 100644
--- a/pg_tde--1.0.sql
+++ b/pg_tde--1.0.sql
@@ -56,6 +56,59 @@ AS $$
 $$
 LANGUAGE SQL;
 
+-- Global Tblespace Key Provider Management
+CREATE FUNCTION pg_tde_add_global_key_provider_internal(provider_type VARCHAR(10), provider_name VARCHAR(128), options JSON)
+RETURNS INT
+AS 'MODULE_PATHNAME'
+LANGUAGE C;
+
+CREATE OR REPLACE FUNCTION pg_tde_add_global_key_provider(provider_type VARCHAR(10), provider_name VARCHAR(128), options JSON)
+RETURNS INT
+AS $$
+    SELECT pg_tde_add_global_key_provider_internal(provider_type, provider_name, options);
+$$
+LANGUAGE SQL;
+
+CREATE OR REPLACE FUNCTION pg_tde_add_global_key_provider_file(provider_name VARCHAR(128), file_path TEXT)
+RETURNS INT
+AS $$
+-- JSON keys in the options must be matched to the keys in
+-- load_file_keyring_provider_options function.
+
+    SELECT pg_tde_add_global_key_provider('file', provider_name,
+                json_object('type' VALUE 'file', 'path' VALUE COALESCE(file_path, '')));
+$$
+LANGUAGE SQL;
+
+CREATE OR REPLACE FUNCTION pg_tde_add_global_key_provider_file(provider_name VARCHAR(128), file_path JSON)
+RETURNS INT
+AS $$
+-- JSON keys in the options must be matched to the keys in
+-- load_file_keyring_provider_options function.
+
+    SELECT pg_tde_add_global_key_provider('file', provider_name,
+                json_object('type' VALUE 'file', 'path' VALUE file_path));
+$$
+LANGUAGE SQL;
+
+CREATE OR REPLACE FUNCTION pg_tde_add_global_key_provider_vault_v2(provider_name VARCHAR(128),
+                                                        vault_token TEXT,
+                                                        vault_url TEXT,
+                                                        vault_mount_path TEXT,
+                                                        vault_ca_path TEXT)
+RETURNS INT
+AS $$
+-- JSON keys in the options must be matched to the keys in
+-- load_vaultV2_keyring_provider_options function.
+    SELECT pg_tde_add_global_key_provider('vault-v2', provider_name,
+                            json_object('type' VALUE 'vault-v2',
+                            'url' VALUE COALESCE(vault_url,''),
+                            'token' VALUE COALESCE(vault_token,''),
+                            'mountPath' VALUE COALESCE(vault_mount_path,''),
+                            'caPath' VALUE COALESCE(vault_ca_path,'')));
+$$
+LANGUAGE SQL;
+
 -- Table access method
 CREATE FUNCTION pg_tdeam_basic_handler(internal)
 RETURNS table_am_handler
@@ -78,6 +131,11 @@ RETURNS boolean
 AS 'MODULE_PATHNAME'
 LANGUAGE C;
 
+CREATE FUNCTION pg_tde_rotate_global_key(new_principal_key_name VARCHAR(255) DEFAULT NULL, new_provider_name VARCHAR(255) DEFAULT NULL, ensure_new_key BOOLEAN DEFAULT TRUE)
+RETURNS boolean
+AS 'MODULE_PATHNAME'
+LANGUAGE C;
+
 CREATE FUNCTION pg_tde_set_database_key(principal_key_name VARCHAR(255), provider_name VARCHAR(255), ensure_new_key BOOLEAN DEFAULT FALSE)
 RETURNS boolean
 AS 'MODULE_PATHNAME'
@@ -98,6 +156,16 @@ RETURNS TABLE ( principal_key_name text,
 AS 'MODULE_PATHNAME'
 LANGUAGE C;
 
+CREATE FUNCTION pg_tde_global_key_info()
+RETURNS TABLE ( principal_key_name text,
+                key_provider_name text,
+                key_provider_id integer,
+                principal_key_internal_name text,
+                principal_key_version integer,
+                key_createion_time timestamp with time zone)
+AS 'MODULE_PATHNAME'
+LANGUAGE C;
+
 CREATE FUNCTION pg_tde_version() RETURNS TEXT AS 'MODULE_PATHNAME' LANGUAGE C;
 
 -- Access method
diff --git a/src/catalog/tde_global_catalog.c b/src/catalog/tde_global_catalog.c
index 7374c1b9..2c2e5ec1 100644
--- a/src/catalog/tde_global_catalog.c
+++ b/src/catalog/tde_global_catalog.c
@@ -14,6 +14,8 @@
 
 #ifdef PERCONA_FORK
 
+#include "catalog/pg_tablespace_d.h"
+#include "nodes/pg_list.h"
 #include "storage/shmem.h"
 #include "utils/guc.h"
 #include "utils/memutils.h"
@@ -28,6 +30,10 @@
 #include <sys/time.h>
 
 #define PRINCIPAL_KEY_DEFAULT_NAME	"tde-global-catalog-key"
+#define KEYRING_DEFAULT_NAME "default_global_tablespace_keyring"
+
+#define DefaultKeyProvider GetKeyProviderByName(KEYRING_DEFAULT_NAME, \
+										GLOBAL_DATA_TDE_OID, GLOBALTABLESPACE_OID)
 
 typedef enum
 {
@@ -39,61 +45,24 @@ typedef enum
 
 typedef struct EncryptionStateData
 {
-	GenericKeyring *keyring;
 	RelKeyData *internal_keys;
 	TDEPrincipalKey principal_key;
 }			EncryptionStateData;
 
 static EncryptionStateData * EncryptionState = NULL;
 
-/* GUC */
-static char *KRingProviderType = NULL;
-static char *KRingProviderFilePath = NULL;
-
 static void init_gl_catalog_keys(void);
-static void init_keyring(void);
+static void init_default_keyring(void);
 static TDEPrincipalKey * create_principal_key(const char *key_name,
 											  GenericKeyring * keyring, Oid dbOid, Oid spcOid,
 											  bool ensure_new_key);
 static void cache_internal_key(RelKeyData * ikey, InternalKeyType type);
 
-void
-TDEGlCatInitGUC(void)
-{
-	DefineCustomStringVariable("pg_tde.global_keyring_type",
-							   "Keyring type for global catalog",
-							   NULL,
-							   &KRingProviderType,
-							   NULL,
-							   PGC_POSTMASTER,
-							   0,	/* no flags required */
-							   NULL,
-							   NULL,
-							   NULL
-		);
-	DefineCustomStringVariable("pg_tde.global_keyring_file_path",
-							   "Keyring file options for global catalog",
-							   NULL,
-							   &KRingProviderFilePath,
-							   NULL,
-							   PGC_POSTMASTER,
-							   0,	/* no flags required */
-							   NULL,
-							   NULL,
-							   NULL
-		);
-}
-
 
 Size
 TDEGlCatEncStateSize(void)
 {
-	Size		size;
-
-	size = sizeof(EncryptionStateData);
-	size = add_size(size, sizeof(KeyringProviders));
-
-	return MAXALIGN(size);
+	return MAXALIGN(sizeof(EncryptionStateData));
 }
 
 void
@@ -106,9 +75,6 @@ TDEGlCatShmemInit(void)
 		ShmemInitStruct("TDE XLog Encryption State",
 						TDEGlCatEncStateSize(), &foundBuf);
 
-	allocptr = ((char *) EncryptionState) + MAXALIGN(sizeof(EncryptionStateData));
-	EncryptionState->keyring = (GenericKeyring *) allocptr;
-	memset(EncryptionState->keyring, 0, sizeof(KeyringProviders));
 	memset(&EncryptionState->principal_key, 0, sizeof(TDEPrincipalKey));
 }
 
@@ -117,7 +83,7 @@ TDEGlCatKeyInit(void)
 {
 	char		db_map_path[MAXPGPATH] = {0};
 
-	init_keyring();
+	init_default_keyring();
 
 	pg_tde_set_db_file_paths(&GLOBAL_SPACE_RLOCATOR(XLOG_TDE_OID),
 							 db_map_path, NULL);
@@ -129,7 +95,8 @@ TDEGlCatKeyInit(void)
 	{
 		RelKeyData *ikey;
 
-		ikey = pg_tde_get_key_from_file(&GLOBAL_SPACE_RLOCATOR(XLOG_TDE_OID), EncryptionState->keyring);
+		ikey = pg_tde_get_key_from_file(&GLOBAL_SPACE_RLOCATOR(XLOG_TDE_OID),
+									DefaultKeyProvider);
 		cache_internal_key(ikey, TDE_INTERNAL_XLOG_KEY);
 	}
 }
@@ -189,22 +156,27 @@ GetGlCatInternalKey(Oid obj_id)
 	return EncryptionState->internal_keys + ktype;
 }
 
-/*
- * TODO: should be aligned with the rest of the keyring_provider code after its
- * 		 refactoring
- *
- * TODO: add Vault
- */
 static void
-init_keyring(void)
+init_default_keyring(void)
 {
-	EncryptionState->keyring->type = get_keyring_provider_from_typename(KRingProviderType);
-	switch (EncryptionState->keyring->type)
+	if (GetAllKeyringProviders(GLOBAL_DATA_TDE_OID, GLOBALTABLESPACE_OID) == NIL)
 	{
-		case FILE_KEY_PROVIDER:
-			FileKeyring * kring = (FileKeyring *) EncryptionState->keyring;
-			strncpy(kring->file_name, KRingProviderFilePath, sizeof(kring->file_name));
-			break;
+		static KeyringProvideRecord provider = {
+			.provider_name = KEYRING_DEFAULT_NAME,
+			.provider_type = FILE_KEY_PROVIDER,
+			.options = 
+				"{"
+					"\"type\": \"file\","
+					" \"path\": \"pg_tde_default_keyring_CHANGE_IT_AND_REMOVE\"" /*TODO: not sure about the location*/
+				"}"
+		};
+
+		/* TODO: should we remove it automaticaly on pg_tde_rotate_global_key() ? */
+		save_new_key_provider_info(&provider, GLOBAL_DATA_TDE_OID, GLOBALTABLESPACE_OID, true);
+		elog(INFO,
+				"default keyring has been created for the global tablespace (WAL)."
+				" Change it with pg_tde_add_global_key_provider_* and run pg_tde_rotate_global_key."
+				);
 	}
 }
 
@@ -220,8 +192,9 @@ init_gl_catalog_keys(void)
 	RelFileLocator *rlocator;
 	TDEPrincipalKey *mkey;
 
+	/* TODO: Use SetPrincipalKey()? */
 	mkey = create_principal_key(PRINCIPAL_KEY_DEFAULT_NAME,
-								EncryptionState->keyring,
+								DefaultKeyProvider,
 								GLOBAL_DATA_TDE_OID, GLOBALTABLESPACE_OID, false);
 
 	memset(&int_key, 0, sizeof(InternalKey));
diff --git a/src/catalog/tde_keyring.c b/src/catalog/tde_keyring.c
index 6409bad7..b1ba1ad6 100644
--- a/src/catalog/tde_keyring.c
+++ b/src/catalog/tde_keyring.c
@@ -13,6 +13,7 @@
 #include "access/xlog.h"
 #include "access/xloginsert.h"
 #include "access/pg_tde_xlog.h"
+#include "catalog/tde_global_catalog.h"
 #include "catalog/tde_keyring.h"
 #include "catalog/tde_principal_key.h"
 #include "access/skey.h"
@@ -33,6 +34,8 @@
 
 PG_FUNCTION_INFO_V1(pg_tde_add_key_provider_internal);
 Datum pg_tde_add_key_provider_internal(PG_FUNCTION_ARGS);
+PG_FUNCTION_INFO_V1(pg_tde_add_global_key_provider_internal);
+Datum pg_tde_add_global_key_provider_internal(PG_FUNCTION_ARGS);
 
 
 #define PG_TDE_KEYRING_FILENAME "pg_tde_keyrings"
@@ -60,7 +63,7 @@ typedef enum ProviderScanType
 	PROVIDER_SCAN_ALL
 } ProviderScanType;
 
-static List *scan_key_provider_file(ProviderScanType scanType, void *scanKey);
+static List *scan_key_provider_file(ProviderScanType scanType, void *scanKey, Oid dbOid, Oid spcOid);
 
 static FileKeyring *load_file_keyring_provider_options(Datum keyring_options);
 static GenericKeyring *load_keyring_provider_options(ProviderType provider_type, Datum keyring_options);
@@ -68,8 +71,9 @@ static VaultV2Keyring *load_vaultV2_keyring_provider_options(Datum keyring_optio
 static void debug_print_kerying(GenericKeyring *keyring);
 static char *get_keyring_infofile_path(char *resPath, Oid dbOid, Oid spcOid);
 static void key_provider_startup_cleanup(int tde_tbl_count, XLogExtensionInstall *ext_info, bool redo, void *arg);
-static uint32 write_key_provider_info(KeyringProvideRecord *provider, Oid database_id, Oid tablespace_id, off_t position, bool redo);
-static uint32 save_new_key_provider_info(KeyringProvideRecord *provider);
+static uint32 write_key_provider_info(KeyringProvideRecord *provider, 
+									Oid database_id, Oid tablespace_id,
+									off_t position, bool redo, bool recovery);
 
 static Size initialize_shared_state(void *start_address);
 static Size required_shared_mem_size(void);
@@ -161,16 +165,16 @@ load_keyring_provider_from_record(KeyringProvideRecord* provider)
 }
 
 List *
-GetAllKeyringProviders(void)
+GetAllKeyringProviders(Oid dbOid, Oid spcOid)
 {
-	return scan_key_provider_file(PROVIDER_SCAN_ALL, NULL);
+	return scan_key_provider_file(PROVIDER_SCAN_ALL, NULL, dbOid, spcOid);
 }
 
 GenericKeyring *
-GetKeyProviderByName(const char *provider_name)
+GetKeyProviderByName(const char *provider_name, Oid dbOid, Oid spcOid)
 {
 	GenericKeyring *keyring = NULL;
-	List *providers = scan_key_provider_file(PROVIDER_SCAN_BY_NAME, (void*)provider_name);
+	List *providers = scan_key_provider_file(PROVIDER_SCAN_BY_NAME, (void*)provider_name, dbOid, spcOid);
 	if (providers != NIL)
 	{
 		keyring = (GenericKeyring *)linitial(providers);
@@ -187,10 +191,10 @@ GetKeyProviderByName(const char *provider_name)
 }
 
 GenericKeyring *
-GetKeyProviderByID(int provider_id)
+GetKeyProviderByID(int provider_id, Oid dbOid, Oid spcOid)
 {
 	GenericKeyring *keyring = NULL;
-	List *providers = scan_key_provider_file(PROVIDER_SCAN_BY_ID, &provider_id);
+	List *providers = scan_key_provider_file(PROVIDER_SCAN_BY_ID, &provider_id, dbOid, spcOid);
 	if (providers != NIL)
 	{
 		keyring = (GenericKeyring *)linitial(providers);
@@ -311,7 +315,8 @@ fetch_next_key_provider(int fd, off_t* curr_pos, KeyringProvideRecord *provider)
 }
 
 static uint32
-write_key_provider_info(KeyringProvideRecord *provider, Oid database_id, Oid tablespace_id, off_t position, bool redo)
+write_key_provider_info(KeyringProvideRecord *provider, Oid database_id, 
+					Oid tablespace_id, off_t position, bool redo, bool recovery)
 {
 	off_t bytes_written = 0;
 	off_t curr_pos = 0;
@@ -336,7 +341,6 @@ write_key_provider_info(KeyringProvideRecord *provider, Oid database_id, Oid tab
 	}
 	if (!redo)
 	{
-		KeyringProviderXLRecord xlrec;
 		/* we also need to verify the name conflict and generate the next provider ID */
 		while (fetch_next_key_provider(fd, &curr_pos, &existing_provider))
 		{
@@ -353,15 +357,23 @@ write_key_provider_info(KeyringProvideRecord *provider, Oid database_id, Oid tab
 		}
 		provider->provider_id = max_provider_id + 1;
 		curr_pos = lseek(fd, 0, SEEK_END);
-		/* emit the xlog here. So that we can handle partial file write errors */
-		xlrec.database_id = database_id;
-		xlrec.tablespace_id = tablespace_id;
-		xlrec.offset_in_file = curr_pos;
-		memcpy(&xlrec.provider, provider, sizeof(KeyringProvideRecord));
-
-		XLogBeginInsert();
-		XLogRegisterData((char *)&xlrec, sizeof(KeyringProviderXLRecord));
-		XLogInsert(RM_TDERMGR_ID, XLOG_TDE_ADD_KEY_PROVIDER_KEY);
+
+		/* emit the xlog here. So that we can handle partial file write errors
+		 * but cannot make new WAL entries during recovery.
+		 */
+		if (!recovery)
+		{
+			KeyringProviderXLRecord xlrec;
+
+			xlrec.database_id = database_id;
+			xlrec.tablespace_id = tablespace_id;
+			xlrec.offset_in_file = curr_pos;
+			memcpy(&xlrec.provider, provider, sizeof(KeyringProvideRecord));
+
+			XLogBeginInsert();
+			XLogRegisterData((char *)&xlrec, sizeof(KeyringProviderXLRecord));
+			XLogInsert(RM_TDERMGR_ID, XLOG_TDE_ADD_KEY_PROVIDER_KEY);
+		}
 	}
 	else
 	{
@@ -401,22 +413,22 @@ write_key_provider_info(KeyringProvideRecord *provider, Oid database_id, Oid tab
 /*
  * Save the key provider info to the file
  */
-static uint32
-save_new_key_provider_info(KeyringProvideRecord* provider)
+uint32
+save_new_key_provider_info(KeyringProvideRecord* provider, Oid databaseId, Oid tablespaceId, bool recovery)
 {
-	return write_key_provider_info(provider, MyDatabaseId, MyDatabaseTableSpace, 0, false);
+	return write_key_provider_info(provider, databaseId, tablespaceId, 0, false, recovery);
 }
 
 uint32
 redo_key_provider_info(KeyringProviderXLRecord* xlrec)
 {
-	return write_key_provider_info(&xlrec->provider, xlrec->database_id, xlrec->tablespace_id, xlrec->offset_in_file, true);
+	return write_key_provider_info(&xlrec->provider, xlrec->database_id, xlrec->tablespace_id, xlrec->offset_in_file, true, false);
 }
 
 /*
 	* Scan the key provider info file and can also apply filter based on scanType
 	*/
-static List *scan_key_provider_file(ProviderScanType scanType, void *scanKey)
+static List *scan_key_provider_file(ProviderScanType scanType, void *scanKey, Oid dbOid, Oid spcOid)
 {
 	off_t curr_pos = 0;
 	int fd;
@@ -427,7 +439,7 @@ static List *scan_key_provider_file(ProviderScanType scanType, void *scanKey)
 	if (scanType != PROVIDER_SCAN_ALL)
 		Assert(scanKey != NULL);
 
-	get_keyring_infofile_path(kp_info_path, MyDatabaseId, MyDatabaseTableSpace);
+	get_keyring_infofile_path(kp_info_path, dbOid, spcOid);
 
 	LWLockAcquire(tde_provider_info_lock(), LW_SHARED);
 
@@ -481,10 +493,10 @@ static List *scan_key_provider_file(ProviderScanType scanType, void *scanKey)
 void
 cleanup_key_provider_info(Oid databaseId, Oid tablespaceId)
 {
-	/* Remove the key provider info fileß */
+	/* Remove the key provider info file */
 	char kp_info_path[MAXPGPATH] = {0};
 
-	get_keyring_infofile_path(kp_info_path, MyDatabaseId, MyDatabaseTableSpace);
+	get_keyring_infofile_path(kp_info_path, databaseId, tablespaceId);
 	PathNameDeleteTemporaryFile(kp_info_path, false);
 }
 
@@ -509,7 +521,23 @@ pg_tde_add_key_provider_internal(PG_FUNCTION_ARGS)
 	strncpy(provider.options, options, sizeof(provider.options));
 	strncpy(provider.provider_name, provider_name, sizeof(provider.provider_name));
 	provider.provider_type = get_keyring_provider_from_typename(provider_type);
-	save_new_key_provider_info(&provider);
+	save_new_key_provider_info(&provider, MyDatabaseId, MyDatabaseTableSpace, false);
+
+	PG_RETURN_INT32(provider.provider_id);
+}
+
+Datum
+pg_tde_add_global_key_provider_internal(PG_FUNCTION_ARGS)
+{
+	char *provider_type = text_to_cstring(PG_GETARG_TEXT_PP(0));
+	char *provider_name = text_to_cstring(PG_GETARG_TEXT_PP(1));
+	char *options = text_to_cstring(PG_GETARG_TEXT_PP(2));
+	KeyringProvideRecord provider;
+
+	strncpy(provider.options, options, sizeof(provider.options));
+	strncpy(provider.provider_name, provider_name, sizeof(provider.provider_name));
+	provider.provider_type = get_keyring_provider_from_typename(provider_type);
+	save_new_key_provider_info(&provider, GLOBAL_DATA_TDE_OID, GLOBALTABLESPACE_OID, false);
 
 	PG_RETURN_INT32(provider.provider_id);
 }
diff --git a/src/catalog/tde_principal_key.c b/src/catalog/tde_principal_key.c
index c704ea08..0496b514 100644
--- a/src/catalog/tde_principal_key.c
+++ b/src/catalog/tde_principal_key.c
@@ -71,6 +71,7 @@ static void clear_principal_key_cache(Oid databaseId) ;
 static inline dshash_table *get_principal_key_Hash(void);
 static TDEPrincipalKey *get_principal_key_from_cache(Oid dbOid);
 static void push_principal_key_to_cache(TDEPrincipalKey *principalKey);
+static Datum pg_tde_get_key_info(PG_FUNCTION_ARGS, Oid dbOid, Oid spcOid);
 
 static const TDEShmemSetupRoutine principal_key_info_shmem_routine = {
     .init_shared_state = initialize_shared_state,
@@ -277,7 +278,7 @@ GetPrincipalKey(Oid dbOid, Oid spcOid, GenericKeyring *keyring)
 
     if (keyring == NULL)
     {
-        keyring = GetKeyProviderByID(principalKeyInfo->keyringId);
+        keyring = GetKeyProviderByID(principalKeyInfo->keyringId, dbOid, spcOid);
         if (keyring == NULL)
         {
             LWLockRelease(lock_cache);
@@ -417,7 +418,7 @@ bool
 SetPrincipalKey(const char *key_name, const char *provider_name, bool ensure_new_key)
 {
     TDEPrincipalKey *principal_key = set_principal_key_with_keyring(key_name, 
-                                        GetKeyProviderByName(provider_name), 
+                                        GetKeyProviderByName(provider_name, MyDatabaseId, MyDatabaseTableSpace), 
                                         MyDatabaseId, MyDatabaseTableSpace, 
                                         ensure_new_key);
 
@@ -451,12 +452,16 @@ RotatePrincipalKey(TDEPrincipalKey *current_key, const char *new_key_name, const
 
         if (new_provider_name != NULL)
         {
-            new_principal_key.keyInfo.keyringId = GetKeyProviderByName(new_provider_name)->key_id;
+            new_principal_key.keyInfo.keyringId = GetKeyProviderByName(new_provider_name, 
+                                new_principal_key.keyInfo.databaseId,
+                                new_principal_key.keyInfo.tablespaceId)->key_id;
         }
     }
 
     /* We need a valid keyring structure */
-    keyring = GetKeyProviderByID(new_principal_key.keyInfo.keyringId);
+    keyring = GetKeyProviderByID(new_principal_key.keyInfo.keyringId, 
+                                new_principal_key.keyInfo.databaseId,
+                                new_principal_key.keyInfo.tablespaceId);
 
     keyInfo = load_latest_versioned_key_name(&new_principal_key.keyInfo, keyring, ensure_new_key);
 
@@ -522,7 +527,7 @@ load_latest_versioned_key_name(TDEPrincipalKeyInfo *principal_key_info, GenericK
         /* vault-v2 returns 404 (KEYRING_CODE_RESOURCE_NOT_AVAILABLE) when key is not found */
         if (kr_ret != KEYRING_CODE_SUCCESS && kr_ret != KEYRING_CODE_RESOURCE_NOT_AVAILABLE)
         {
-            ereport(PANIC,
+            ereport(FATAL,
                 (errmsg("failed to retrieve principal key from keyring provider :\"%s\"", keyring->provider_name),
                     errdetail("Error code: %d", kr_ret)));
         }
@@ -743,8 +748,43 @@ pg_tde_rotate_database_key(PG_FUNCTION_ARGS)
     PG_RETURN_BOOL(ret);
 }
 
+PG_FUNCTION_INFO_V1(pg_tde_rotate_global_key);
+Datum
+pg_tde_rotate_global_key(PG_FUNCTION_ARGS)
+{
+    char *new_principal_key_name = NULL;
+    char *new_provider_name =  NULL;
+    bool ensure_new_key;
+    bool ret;
+    TDEPrincipalKey *current_key;
+
+    if (!PG_ARGISNULL(0))
+        new_principal_key_name = text_to_cstring(PG_GETARG_TEXT_PP(0));
+    if (!PG_ARGISNULL(1))
+        new_provider_name = text_to_cstring(PG_GETARG_TEXT_PP(1));
+    ensure_new_key = PG_GETARG_BOOL(2);
+
+
+    ereport(LOG, (errmsg("Rotating principal key to [%s : %s] for the database", new_principal_key_name, new_provider_name)));
+    current_key = GetPrincipalKey(GLOBAL_DATA_TDE_OID, GLOBALTABLESPACE_OID, NULL);
+    ret = RotatePrincipalKey(current_key, new_principal_key_name, new_provider_name, ensure_new_key);
+    PG_RETURN_BOOL(ret);
+}
+
 PG_FUNCTION_INFO_V1(pg_tde_database_key_info);
 Datum pg_tde_database_key_info(PG_FUNCTION_ARGS)
+{
+    return pg_tde_get_key_info(fcinfo, MyDatabaseId, MyDatabaseTableSpace);
+}
+
+PG_FUNCTION_INFO_V1(pg_tde_global_key_info);
+Datum pg_tde_global_key_info(PG_FUNCTION_ARGS)
+{
+    return pg_tde_get_key_info(fcinfo, GLOBAL_DATA_TDE_OID, GLOBALTABLESPACE_OID);
+}
+
+static Datum 
+pg_tde_get_key_info(PG_FUNCTION_ARGS, Oid dbOid, Oid spcOid)
 {
     TupleDesc tupdesc;
     Datum values[6];
@@ -761,7 +801,7 @@ Datum pg_tde_database_key_info(PG_FUNCTION_ARGS)
                 (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
                     errmsg("function returning record called in context that cannot accept type record")));
 
-    principal_key = GetPrincipalKey(MyDatabaseId, MyDatabaseTableSpace, NULL);
+    principal_key = GetPrincipalKey(dbOid, spcOid, NULL);
     if (principal_key == NULL)
 	{
 		ereport(ERROR,
@@ -770,7 +810,7 @@ Datum pg_tde_database_key_info(PG_FUNCTION_ARGS)
 		PG_RETURN_NULL();
 	}
 
-    keyring = GetKeyProviderByID(principal_key->keyInfo.keyringId);
+    keyring = GetKeyProviderByID(principal_key->keyInfo.keyringId, dbOid, spcOid);
 
     /* Initialize the values and null flags */
 
diff --git a/src/include/catalog/tde_global_catalog.h b/src/include/catalog/tde_global_catalog.h
index 23d57380..c9375e73 100644
--- a/src/include/catalog/tde_global_catalog.h
+++ b/src/include/catalog/tde_global_catalog.h
@@ -13,6 +13,7 @@
 
 #include "postgres.h"
 
+#include "access/pg_tde_tdemap.h"
 #include "catalog/tde_principal_key.h"
 
 /* 
@@ -29,7 +30,6 @@
 	_obj_oid \
 }
 
-extern void TDEGlCatInitGUC(void);
 extern Size TDEGlCatEncStateSize(void);
 extern void TDEGlCatShmemInit(void);
 extern void TDEGlCatKeyInit(void);
diff --git a/src/include/catalog/tde_keyring.h b/src/include/catalog/tde_keyring.h
index f35b4b2d..1c643f0b 100644
--- a/src/include/catalog/tde_keyring.h
+++ b/src/include/catalog/tde_keyring.h
@@ -55,12 +55,6 @@ typedef struct VaultV2Keyring
 	char vault_mount_path[MAXPGPATH];
 } VaultV2Keyring;
 
-typedef union KeyringProviders
-{
-	FileKeyring file;
-	VaultV2Keyring vault;
-} KeyringProviders;
-
 /* This record goes into key provider info file */
 typedef struct KeyringProvideRecord
 {
@@ -77,11 +71,12 @@ typedef struct KeyringProviderXLRecord
 	KeyringProvideRecord provider;
 } KeyringProviderXLRecord;
 
-extern List *GetAllKeyringProviders(void);
-extern GenericKeyring *GetKeyProviderByName(const char *provider_name);
-extern GenericKeyring *GetKeyProviderByID(int provider_id);
+extern List *GetAllKeyringProviders(Oid dbOid, Oid spcOid);
+extern GenericKeyring *GetKeyProviderByName(const char *provider_name, Oid dbOid, Oid spcOid);
+extern GenericKeyring *GetKeyProviderByID(int provider_id, Oid dbOid, Oid spcOid);
 extern ProviderType get_keyring_provider_from_typename(char *provider_type);
 extern void cleanup_key_provider_info(Oid databaseId, Oid tablespaceId);
 extern void InitializeKeyProviderInfo(void);
+extern uint32 save_new_key_provider_info(KeyringProvideRecord *provider, Oid databaseId, Oid tablespaceId, bool recovery);
 extern uint32 redo_key_provider_info(KeyringProviderXLRecord *xlrec);
 #endif /*TDE_KEYRING_H*/
diff --git a/src/pg_tde.c b/src/pg_tde.c
index 069758f2..31c8e867 100644
--- a/src/pg_tde.c
+++ b/src/pg_tde.c
@@ -108,7 +108,6 @@ _PG_init(void)
 	InitializeKeyProviderInfo();
 #ifdef PERCONA_FORK
 	XLogInitGUC();
-	TDEGlCatInitGUC();
 #endif
 	prev_shmem_request_hook = shmem_request_hook;
 	shmem_request_hook = tde_shmem_request;