From 849ffcec9ffc045a7f7d660206c0a42583c2fa46 Mon Sep 17 00:00:00 2001
From: Artem Gavrilov <artem.gavrilov@percona.com>
Date: Thu, 26 Jun 2025 16:32:49 +0200
Subject: [PATCH] PG-1257 Add key deletion funcs to documentation

Add principal key deletion functions to documentation. Fix couple
uncertainties on architecture docs page.
---
 .../documentation/docs/architecture/index.md     |  4 ++--
 contrib/pg_tde/documentation/docs/functions.md   | 16 ++++++++++++++++
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/contrib/pg_tde/documentation/docs/architecture/index.md b/contrib/pg_tde/documentation/docs/architecture/index.md
index 9abd070c4c9eb..54542ee94e0b6 100644
--- a/contrib/pg_tde/documentation/docs/architecture/index.md
+++ b/contrib/pg_tde/documentation/docs/architecture/index.md
@@ -305,12 +305,12 @@ You can manage a default key with the following functions:
 * `pg_tde_delete_default_key()`
 
 !!! note
-    `pg_tde_delete_default_key()` is only possible if there's no table currently using the default principal key.
+    `pg_tde_delete_default_key()` is only possible if there's no database currently using the default principal key.
     Changing the default principal key will rotate the encryption of internal keys for all databases using the current default principal key.
 
 #### Delete a key
 
-The `pg_tde_delete_key()` function removes the principal key for the current database. If the current database has any encrypted tables, and there isn’t a default principal key configured, it reports an error instead. If there are encrypted tables, but there’s also a global default principal key, internal keys will be encrypted with the default key.
+The `pg_tde_delete_key()` function removes the principal key for the current database. If the current database has any encrypted tables, and there isn’t a default principal key configured, it reports an error instead. If there are encrypted tables, but there’s also a default principal key, internal keys will be encrypted with the default key.
 
 !!! note
     WAL keys **cannot** be deleted, as server keys are managed separately.
diff --git a/contrib/pg_tde/documentation/docs/functions.md b/contrib/pg_tde/documentation/docs/functions.md
index 563d359aa2cf4..fcc7d03c51ef4 100644
--- a/contrib/pg_tde/documentation/docs/functions.md
+++ b/contrib/pg_tde/documentation/docs/functions.md
@@ -302,6 +302,22 @@ SELECT pg_tde_set_default_key_using_global_key_provider(
 );
 ```
 
+### pg_tde_delete_key
+
+Deletes the principal key for the current database. If the current database has any encrypted tables, and there isn’t a default principal key configured, it reports an error instead. If there are encrypted tables, but there’s also a default principal key, internal keys will be encrypted with the default key.
+
+```sql
+SELECT pg_tde_delete_key();
+```
+
+### pg_tde_delete_default_key
+
+Deletes default principal key. It's possible only if no database uses default principal key.
+
+```sql
+SELECT pg_tde_delete_default_key();
+```
+
 ## Encryption status check
 
 ### pg_tde_is_encrypted