...
To support multiple keys for reading encrypted data it is required to store key identifier on each encrypted page and on each encrypted WAL record. The key identifier is a sequential counter, and should be the same on all nodes.
- Check that all baseline nodes online.
- Start distributed process CACHE_GROUP_KEY_CHANGE_PREPARE, each node
- verifies that re-encryption not in progress
- ensures that new key identifier does not exists
- adds new key
- After successful completion of PREPARE, start distributed process CACHE_GROUP_KEY_CHANGE_FINISH, each node
- saves logical WAL record (ENCRYPTION_STATUS_RECORD) with current page count in partitions.
- stores current page count as total pages for background re-encryption on partitions.
- adds the mapping "WAL segment -> *old* key identifier" (to safely cleanup this key in the future)
- sets new key for writing
- starts background re-encryption
...