One of the building blocks of data encryption in EDB Postgres is TDE (Transparent Data Encryption). It offers encryption at the file level, which solves the problem of protecting data at rest. The key for transparent data encryption is generated by initdb and stored in the file pg_encryption/key.bin under the data directory.
A wrap and an unwrap command need to be specified to secure the data encryption key, which provides TDE with a data encryption protection mechanism. The data encryption key will be protected using a wrapping key stored in a key management system. This second key is also called the key-wrapping key or master key. The Utimaco ESKM acts as the KMS here.