diff --git a/contrib/pg_tde/documentation/docs/how-to/backup-wal-enabled.md b/contrib/pg_tde/documentation/docs/how-to/backup-wal-enabled.md index 97c2804b40f..7b51bbbd176 100644 --- a/contrib/pg_tde/documentation/docs/how-to/backup-wal-enabled.md +++ b/contrib/pg_tde/documentation/docs/how-to/backup-wal-enabled.md @@ -24,9 +24,9 @@ Also copy any external files referenced by your providers configuration (such as ## Key rotation during backups !!! warning - Do not rotate SMGR or WAL encryption keys while `pg_basebackup` is running. Standbys or standalone clusters created from such backups may fail to start during WAL replay. + Do not create, change, or rotate global key providers (or their keys) while `pg_basebackup` is running. Standbys or standalone clusters created from such backups may fail to start during WAL replay and may also lead to the corruption of encrypted data (tables, indexes, and other relations). -Rotations during a base backup can leave the standby in an inconsistent state where it cannot retrieve the correct key history. +Creating, changing, or rotating global key providers (or their keys) during a base backup can leave the standby in an inconsistent state where it cannot retrieve the correct key history. For example, you may see errors such as: diff --git a/contrib/pg_tde/documentation/docs/release-notes/release-notes-v2.0.md b/contrib/pg_tde/documentation/docs/release-notes/release-notes-v2.0.md index 22c74ba52d3..5a11ed3300d 100644 --- a/contrib/pg_tde/documentation/docs/release-notes/release-notes-v2.0.md +++ b/contrib/pg_tde/documentation/docs/release-notes/release-notes-v2.0.md @@ -30,9 +30,9 @@ Clusters that did not use WAL encryption in beta can be upgraded normally. ## Known issues -* Rotating encryption keys while `pg_basebackup` is running may cause standbys or standalone clusters initialized from the backup to fail during WAL replay. +* Creating, changing, or rotating global key providers (or their keys) while `pg_basebackup` is running may cause standbys or standalone clusters initialized from the backup to fail during WAL replay and may also lead to the corruption of encrypted data (tables, indexes, and other relations). - Avoid key rotations during backups. Run a new full backup after completing a rotation. + Avoid making these actions during backup windows. Run a new full backup after completing a rotation or provider update. * Using `pg_basebackup` with `--wal-method=fetch` produces warnings.