On Sun, Dec 17, 2023 at 06:30:50AM +0000, Chris Travers wrote: > Hi, > > I was re-reading the patches here and there was one thing I didn't > understand. > > There are provisions for a separation of data encryption keys for primary and > replica I see, and these share a single WAL key. > > But if I am setting up a replica from the primary, and the primary is already > encrypted, then do these forceably share the same data encrypting keys? Is > there a need to have (possibly in a follow-up patch) an ability to decrypt > and re-encrypt in pg_basebackup (which would need access to both keys) or is > this handled already and I just missed it?
Yes, decrypt and re-encrypt in pg_basebackup would be necessary, or in the actual protocol stream. -- Bruce Momjian <br...@momjian.us> https://momjian.us EDB https://enterprisedb.com Only you can decide what is important to you.
