On Thu, 2021-04-08 at 09:21 +0100, lejeczek wrote: > On 08/04/2021 03:59, Laurenz Albe wrote: > > On Wed, 2021-04-07 at 21:12 +0100, lejeczek wrote: > > > On 07/04/2021 17:36, Tom Lane wrote: > > > > lejeczek <peljasz@xxxxxxxxxxx> writes: > > > > > A novice here thus please go easy on me as I ask this - I > > > > > see docs/howtos all over the place be those either talk of > > > > > encryption or replication. I failed to find one which blend > > > > > these two concepts together - sure it's possible to pgSQL > > > > > replication encrypted, right? > > > > > > Thanks. Would you know how '|clientcert=1' fits into the > > > equation? > > > With it present in pg_hba.conf pgSQL was not happy saying: > > > > > > FATAL: connection requires a valid client certificate. > > > > Then include "sslcert" in "primary_conninfo". > > > > You can use all the libpq connection parameters: > > https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS > > This below is what 'pg_basebackup' generated on the master > itself, master which already was configured for TLS/certs. > > primary_conninfo = 'user=replicator password=''9897'' > channel_binding=prefer host=10.1.1.224 port=5432 > sslmode=prefer sslcompression=0 > ssl_min_protocol_version=TLSv1.2 gssencmode=prefer > krbsrvname=postgres target_session_attrs=any' > > And with master's: > > hostssl replication replicator 10.1.1.223/32 md5 > clientcert=1 I repeat: add "sslcert" to "primary_conninfo". Of course you will need a private key that matches the certificate. > I guess my question - as any novice's - would be: is > replication really 100% encrypted? How to confirm-test it? Look at the appropriate line in "pg_stat_ssl". > Lastly: is there anything more at 'pg_basebackup' stage user > can do to have 'configs' more ready, more complete for 'full > encryption' when starting with master already configured > with TLS? > I'm on 13.2 version. No, this always requires manual configuration. Yours, Laurenz Albe -- Cybertec | https://www.cybertec-postgresql.com
