Note the following when using transparent data encryption in environments that use streaming replication, or database multiplexing with streaming replication.
Place a copy of the primary server keystore file on the standby server.
This is required as the keystore file cannot be shared, and both servers may need to access it simultaneously.
Point
To manage the keystore file in a more secure manner, place it on the key management server or the key management storage isolated in a secure location. A keystore used by both the primary and standby servers can be managed on the same key management server or key management storage.
However, create different directories for the keystores to be used by the primary server and the standby server. Then copy the keystore for the primary server to the directory used on the standby server.
Automatically opening the keystore
You must enable automatic opening of the keystore.
To do this, enable automatic opening of the keystore in all servers that make up database multiplexing. The settings for automatic opening of the keystore include information unique to each server, so simply copying the file does not enable it.
Changing the passphrase
Changes to the passphrase are reflected in all servers that make up database multiplexing, so no special operation is required.
Building and starting a standby server
Before using the pg_basebackup command or pgx_rcvall command to build a standby server, copy the keystore file from the primary server to the standby server. When using an automatically opening keystore, use the copied keystore file to enable automatic opening on the standby server.
Open the keystore each time you start the standby server. This step is necessary for decrypting and restoring encrypted WAL received from the primary server. To open the keystore, specify the --keystore-passphrase option in the pg_ctl command or pgx_rcvall command and enter the passphrase, or use an automatically opening keystore.
Changing the master encryption key and the passphrase
Change the master encryption key and the passphrase on the primary server. You need not copy the keystore from the primary server to the standby server. You need not even restart the standby server or reopen the keystore. Changes to the master encryption key and the passphrase are reflected in the keystore on the standby server.
See
Refer to "pgx_rcvall " in the Reference for information on pgx_rcvall command.
Refer to "pg_ctl" under "Reference" in the PostgreSQL Documentation for information on pg_ctl command.
Refer to "pg_basebackup" under "Reference" in the PostgreSQL Documentation for information on pg_basebackup command.
Refer to "High Availability, Load Balancing, and Replication" under "Server Administration" in the PostgreSQL Documentation for information on how to set up streaming replication.
