Hi, I wonder if this is meant to support external KMS systems/services like Vault (from HashiCorp) or CloudHSM (from AWS) or a hardware HSM. AFAICS the current implementation does not allow storing keys in such external systems, right? But it seems kinda reasonable to want to do that, when already using the HSM for other parts of the system.
Now, I'm not saying the first version we commit has to support this, or that it necessarily makes sense. But for example MariaDB seems to support this [1]. [1] https://mariadb.com/kb/en/encryption-key-management/ -- Tomas Vondra http://www.2ndQuadrant.com PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
