| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Chris Travers <chris(dot)travers(at)gmail(dot)com> |
| Cc: | pgsql-hackers(at)lists(dot)postgresql(dot)org, David Christensen <david+pg(at)pgguru(dot)net> |
| Subject: | Re: Moving forward with TDE |
| Date: | 2023-12-26 18:55:20 |
| Message-ID: | ZYshmKIqP9GR1rzX@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Sun, Dec 17, 2023 at 06:30:50AM +0000, Chris Travers wrote:
> Hi,
>
> I was re-reading the patches here and there was one thing I didn't understand.
>
> There are provisions for a separation of data encryption keys for primary and replica I see, and these share a single WAL key.
>
> But if I am setting up a replica from the primary, and the primary is already encrypted, then do these forceably share the same data encrypting keys? Is there a need to have (possibly in a follow-up patch) an ability to decrypt and re-encrypt in pg_basebackup (which would need access to both keys) or is this handled already and I just missed it?
Yes, decrypt and re-encrypt in pg_basebackup would be necessary, or in
the actual protocol stream.
--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com
Only you can decide what is important to you.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2023-12-26 19:02:33 | Two small bugs in guc.c |
| Previous Message | Bruce Momjian | 2023-12-26 18:15:14 | Re: Statistics Import and Export |