Take the following points into account when using transparent data encryption in a streaming replication environment.
Placement and automatic opening of the keystore file
Place a copy of the primary server keystore file on the standby server.
This is required as the keystore file cannot be shared, because both servers may access it simultaneously.
If you change the master encryption key and the passphrase on the primary server, you need not copy the keystore file to the standby server as the changes on the primary server will be reflected on the standby server.
To manage the keystore file in a more secure manner, place it on the key management server or the key management storage isolated in a secure location. If both the primary and standby servers can access the same key management server or key management storage, then the keystore can be managed on the same key management server or key management storage. In this case, on the standby server, create a directory to store the keystore in a different location from that of the primary server, and then copy the keystore file created on the primary server to this directory.
Enable the automatic opening of the keystore on both the primary and standby servers. Note that copying the automatically opening keystore file (keystore.aks) to the standby server does not enable the automatic opening of the keystore.
Building and starting a standby server
Before using the pg_basebackup command or pgx_rcvall command to build a standby server, copy the keystore file from the primary server to the standby server. When using an automatically opening keystore, use the copied keystore file to enable automatic opening on the standby server.
Open the keystore each time you start the standby server. This step is necessary for decrypting and restoring encrypted WAL received from the primary server. To open the keystore, specify the --keystore-passphrase option in the pg_ctl command or pgx_rcvall command and enter the passphrase, or use an automatically opening keystore.
Changing the master encryption key and the passphrase
Change the master encryption key and the passphrase on the primary server. You need not copy the keystore from the primary server to the standby server. You need not even restart the standby server or reopen the keystore. Changes to the master encryption key and the passphrase are reflected in the keystore on the standby server.
See
Refer to "pgx_rcvall " in the Reference for information on pgx_rcvall command.
Refer to "pg_ctl" under "Reference" in the PostgreSQL Documentation for information on pg_ctl command.
Refer to "pg_basebackup" under "Reference" in the PostgreSQL Documentation for information on pg_basebackup command.
Refer to "High Availability, Load Balancing, and Replication" under "Server Administration" in the PostgreSQL Documentation for information on how to set up streaming replication.
