On Thu, Aug 8, 2019 at 6:31 PM Stephen Frost <sfrost@snowman.net> wrote:
Strictly speaking, that isn't actually crash recovery, it's physical replication / HA, and while those are certainly nice to have it's no guarantee that they're required or that you'd want to have the same keys for them- conceptually, at least, you could have WAL with one key that both sides know and then different keys for the actual data files, if we go with the approach where the WAL is encrypted with one key and then otherwise is plaintext.
I like the idea of separating the WAL key from the rest of the data files. It'd all be unlocked by the MDEK and you'd still need derived keys per WAL-file, but disconnecting all that from the data files solves a lot of the problems with promoted replicas.
This would complicate cloning a replica as using a different MDEK would involve decrypting / encrypting everything rather than just copying the files. Even if that's not baked in a first version, the separation allows for eventually supporting that.
