If you are using pg_upgrade to upgrade an instance of Fujitsu Enterprise Postgres that uses Transparent Data Encryption (TDE), there are steps you can take before upgrading.

If your old cluster operation was an HA cluster operation without database multiplexing operations, and you shared a single keystore file, see "Before upgrading if you shared a keystore file". For other operations, see "Before upgrading"

Before upgrading, perform the following steps:

1. Copy Master Encryption Key

   Copy the keystore file from the old cluster to the new cluster.

   You do not need to use the pgx_set_master_key function to generate a new master encryption key on the new cluster; you must copy the keystore file from the old cluster.

   As a database superuser, do the following:

   $ mkdir <NEW-KEY-STORE>/
   $ cp -p <OLD-KEY-STORE>/keystore.ks  <NEW-KEY-STORE>/

   NEW-KEY-STORE: The directory specified by the keystore_location parameter in postgresql.conf for the new cluster

   OLD-KEY-STORE: The directory specified by the keystore_location parameter in postgresql.conf on the old cluster

   Note

   This is not necessary if you are using the old cluster keystore file location as the new cluster keystore file location. In that case, the old cluster cannot continue to be used.

   Enable automatic keystore opening for old and new clusters.

If the primary and standby servers shared the same keystore file, copy the keystore file from the old environment and share it as the keystore file from the new environment.

For more secure management of keystore files, place them on a secure, isolated key management server or key management storage.

Enable automatic keystore opening for old and new clusters.