pg_upgrade TDE options
These arguments to pg_upgrade help with upgrading encrypted clusters.
Option: --copy-by-block
Copies files to the new cluster block by block instead of the default, which is to copy the whole file at once. This option is the same as the default mode but slower. It does, however, support upgrades between clusters with different encryption settings.
You must use this option when upgrading between clusters with different encryption settings, that is, unencrypted to encrypted, encrypted to unencrypted, or both encrypted with different keys. While copying files to the new cluster, it decrypts them and reencrypts them with the keys and settings of the new cluster.
If the old cluster is encrypted and the new cluster was initialized as unencrypted, this option decrypts the data from the old cluster and copies it to the new cluster unencrypted. If the old cluster is unencrypted and the new cluster was initialized as encrypted, this option encrypts the data from the old cluster and places it into the new cluster encrypted.
See the description of the initdb --copy-key-from=<file> option for information on copying a key from an existing cluster when preparing a new cluster as a target for pg_upgrade.
See Tutorials for --copy-by-block usage examples.
Option: --key-unwrap-command=<command>
Specifies the command to unwrap (decrypt) the data encryption key and access the files to copy. It must be the same unwrap command you specified during the server initialization.
If you don't specify this option, pg_upgrade reads the environment variable PGDATAKEYUNWRAPCMD.