Ok, here’s what I did to encrypt my existing unencrypted postgres volume(s):
- Create a replica outside of my postgres primary region with
fly postgres create
andfly scale count
. If I actually want to finish with a replica in that region, then make it an encrypted replica. - Use these steps to change the primary region to the new region.
- Wait until
fly status
shows the new region as leader, and the original region as replica. - Delete the volume in the original region.
- Create an encrypted replica in the original region.
- Go through the instructions linked in step 2 again, this time to change the primary region to the original region.
- Wait until
fly status
shows the original region as leader, and the new region as replica. - Delete unencrypted replicas and create encrypted replicas as needed.