src/bin/pg_alterckey/README - cloudberry - Git at Google

 pg_alterckey
 ============

 This directory contains the code to generate the pg_alterckey binary.

 Architecture
 ------------

 pg_alterckey allows altering of the cluster encryption key (key
 encryption key or KEK) which is stored outside of the file system;  see
 src/backend/crypto/README for more details.  This must be done in a
 crash-safe manner since the keys are critical to reading an encrypted
 cluster.  The active data encryption keys (DEK) are encrypted/wrapped by
 the KEK and stored in PGDATA/pg_cryptokeys/live as separate files,
 currently files 0 and 1.

 This process can be interrupted at anytime;  the new execution of
 pg_alterckey will repair any previously interrupted execution of
 pg_alterckey.

 pg_alterckey should never be run concurrently.  A lock file prevents
 almost all concurrent execution.  pg_alterckey can be run if the
 database server is running or stopped, so it can't use database locking
 that is only available when the server is running.
	pg_alterckey
	============

	This directory contains the code to generate the pg_alterckey binary.

	Architecture
	------------

	pg_alterckey allows altering of the cluster encryption key (key
	encryption key or KEK) which is stored outside of the file system; see
	src/backend/crypto/README for more details. This must be done in a
	crash-safe manner since the keys are critical to reading an encrypted
	cluster. The active data encryption keys (DEK) are encrypted/wrapped by
	the KEK and stored in PGDATA/pg_cryptokeys/live as separate files,
	currently files 0 and 1.

	This process can be interrupted at anytime; the new execution of
	pg_alterckey will repair any previously interrupted execution of
	pg_alterckey.

	pg_alterckey should never be run concurrently. A lock file prevents
	almost all concurrent execution. pg_alterckey can be run if the
	database server is running or stopped, so it can't use database locking
	that is only available when the server is running.