search

Migration

hashtag
Migration

migration:
  api_address: "http://encryption-proxy-dev:9191"
  postgres:
    enabled: true
    native: { ... }
    proxy: { ... }

hashtag
api_address

  • The address of the Encryption Proxy API.

  • Used by the migration service to fetch encryption rules and communicate with the encryption engine.

hashtag
postgres.enabled

  • Enables the PostgreSQL migration service.

  • When true, the system will perform data migration from the source (native) PostgreSQL instance to the destination (proxy) PostgreSQL proxy.

hashtag
native Block (Source Database)

Configuration for the original unencrypted PostgreSQL server:

  • This is the data source before encryption.

  • TLS should be configured appropriately depending on the ssl_mode.

hashtag
proxy Block (Destination Database)

Configuration for the target encrypted PostgreSQL proxy server:

  • This is where encrypted data will be stored.

  • This connection points to the proxy, not directly to a raw PostgreSQL instance.

hashtag
TLS (ssl_mode)

You can choose from the following ssl_mode values (applies to both native and proxy):

  • disable: No encryption (not recommended).

  • prefer: Use TLS if available.

  • require: Enforce TLS, skip identity verification.

  • verify-ca: Validate server cert against CA.

  • verify-full: Also verify the server hostname matches its cert.

All cert/key files should be in PEM format.

hashtag
Data Migration Flow

  1. The system connects to both the native and proxy databases.

  2. Data is read from the native DB.

  3. Encrypted data is written into the proxy DB.

Ensure that the proxy database schema is compatible or pre-created using the migration tool or application logic.

PreviousConfigurationNextEncryption Proxy Guide

Last updated