Take the following points into account when using transparent data encryption in a streaming replication environment.

Use different keystore files on the primary server and the standby server. Both servers cannot share the same keystore file on the file server. This is because both servers may read or write to the file simultaneously. The same applies to automatically opening keystores.

When using an automatically opening keystore, enable automatic opening on the standby server. An automatically opening keystore (keystore.aks) created on the primary server cannot automatically open even if you copy it to the standby server.

Before using the pg_basebackup command or pgx_rcvall command to build a standby server, copy the keystore file from the primary server to the standby server. When using an automatically opening keystore, use the copied keystore file to enable automatic opening on the standby server.

Open the keystore each time you start the standby server. This step is necessary for decrypting and restoring encrypted WAL received from the primary server. To open the keystore, specify the --keystore-passphrase option in the pg_ctl command or pgx_rcvall command and enter the passphrase, or use an automatically opening keystore.

Change the master encryption key and the passphrase on the primary server. You need not copy the keystore from the primary server to the standby server. You need not even restart the standby server or reopen the keystore. Changes to the master encryption key and the passphrase are reflected in the keystore on the standby server.