Note the following when using transparent data encryption in environments that use streaming replication, or database multiplexing with streaming replication.
Because the master encryption key is encrypted with the HSM master key, you must load the same HSM master key on all servers that will be part of the database multiplexing operation.
For instructions on loading the primary server's HSM master key on the standby server, refer to the IBM documentation.
Place a copy of the primary server keystore file on the standby server.
This is required as the keystore file cannot be shared, and both servers may need to access it simultaneously.
Copy procedure for the opencryptoki token directory
Execute the following operations as the system administrator (root).
On source machine
Backup the token directory of the source machine (retain file owners and groups) in the backup
On target machine
Update the opencryptoki.conf file
Add new Slot/tokname to use on the target machine
Restart Slot Manager daemon (pkcsslotd)
This will create the openCryptoki token folders including a new one for new slot
Copy all the backed-up token directory files into this new token directory (preserving the file owners and groups)
Be sure to remove any shared memory files in /dev/shm which are associated with the new tokname
Restart Slot Manager daemon (pkcsslotd)
New token should be ready to use.
(The SO PIN and User PIN are same as they were on the source machine)
Automatically opening the keystore
You must enable automatic opening of the keystore.
To do this, enable automatic opening of the keystore in all servers that make up database multiplexing.
Building and starting a standby server
Before using the pg_basebackup command or pgx_rcvall command to build a standby server, copy the keystore file and the entire opencryptoki token directory of the slot assigned to Fujitsu Enterprise Postgres from the primary server to the standby server.
Open the keystore each time you start the standby server. This step is necessary for decrypting and restoring encrypted WAL received from the primary server. To open the keystore, specify the --user-pin option in the pg_ctl command or pgx_rcvall command and enter the user pin, or use an automatically opening keystore.
Note
If you start a standby server without copying the openCryptoki token directory from the primary server to the standby server, an error occurs during the following operations.
Accessing tables defined in an encrypted tablespace on the standby server
Changing the master encryption key on the primary server
If an error occurs, you can recover by copying the opencryptoki token directory from the primary server to the standby server and restarting the standby server.
Changing the master encryption key
Change the master encryption key on the primary server. You need not copy the keystore from the primary server to the standby server. You need not even restart the standby server or reopen the keystore. Changes to the master encryption key are reflected in the keystore on the standby server.
See
Refer to "pgx_rcvall " in the Reference for information on pgx_rcvall command.
Refer to "pg_ctl" under "Reference" in the PostgreSQL Documentation for information on pg_ctl command.
Refer to "pg_basebackup" under "Reference" in the PostgreSQL Documentation for information on pg_basebackup command.
Refer to "High Availability, Load Balancing, and Replication" under "Server Administration" in the PostgreSQL Documentation for information on how to set up streaming replication.
