Revert "Add key management system" (978f869b99) & later commits

The patch needs test cases, reorganization, and cfbot testing.
Technically reverts commits 5c31afc49d..e35b2bad1a (exclusive/inclusive)
and 08db7c63f3..ccbe34139b.

Reported-by: Tom Lane, Michael Paquier

Discussion: https://postgr.es/m/E1ktAAG-0002V2-VB@gemulon.postgresql.org

13 files changed, 20 insertions, 479 deletions

diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 4d6a0edd91d..4b60382778f 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1452,18 +1452,18 @@ include_dir 'conf.d'
         mechanism is used.
        </para>
        <para>
-        The command must print the passphrase to the standard output
-        and exit with code 0.  It can prompt from the terminal if
-        <option>--authprompt</option> is used.  In the parameter value,
-        <literal>%R</literal> represents the file descriptor number opened
-        to the terminal that started the server.  A file descriptor is only
-        available if enabled at server start.  If <literal>%R</literal>
-        is used and no file descriptor is available, the server will not
-        start.  Value <literal>%p</literal> is replaced by a pre-defined
-        prompt string.  (Write <literal>%%</literal> for a literal
-        <literal>%</literal>.)  Note that the prompt string will probably
-        contain whitespace, so be sure to quote its use adequately.
-        Newlines are stripped from the end of the output if present.
+        The command must print the passphrase to the standard output and exit
+        with code 0.  In the parameter value, <literal>%p</literal> is
+        replaced by a prompt string.  (Write <literal>%%</literal> for a
+        literal <literal>%</literal>.)  Note that the prompt string will
+        probably contain whitespace, so be sure to quote adequately.  A single
+        newline is stripped from the end of the output if present.
+       </para>
+       <para>
+        The command does not actually have to prompt the user for a
+        passphrase.  It can read it from a file, obtain it from a keychain
+        facility, or similar.  It is up to the user to make sure the chosen
+        mechanism is adequately secure.
        </para>
        <para>
         This parameter can only be set in the <filename>postgresql.conf</filename>
@@ -1486,12 +1486,10 @@ include_dir 'conf.d'
         parameter is off (the default), then
         <varname>ssl_passphrase_command</varname> will be ignored during a
         reload and the SSL configuration will not be reloaded if a passphrase
-        is needed.  This setting is appropriate for a command that requires a
-        terminal for prompting, which will likely not be available when the server is
-        running.  (<option>--authprompt</option> closes the terminal file
-        descriptor soon after server start.)   Setting this parameter on
-        might be appropriate, for example, if the passphrase is obtained
-        from a file.
+        is needed.  That setting is appropriate for a command that requires a
+        TTY for prompting, which might not be available when the server is
+        running.  Setting this parameter to on might be appropriate if the
+        passphrase is obtained from a file, for example.
        </para>
        <para>
         This parameter can only be set in the <filename>postgresql.conf</filename>
@@ -7818,52 +7816,6 @@ COPY postgres_log FROM '/full/path/to/logfile.csv' WITH csv;
     </variablelist>
    </sect1>
 
-   <sect1 id="runtime-config-encryption">
-    <title>Cluster File Encryption</title>
-
-    <variablelist>
-     <varlistentry id="guc-cluster-key-command" xreflabel="cluster_key_command">
-      <term><varname>cluster_key_command</varname> (<type>string</type>)
-      <indexterm>
-       <primary><varname>cluster_key_command</varname> configuration parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        This option specifies an external command to obtain the cluster-level
-        key for cluster file encryption during server initialization and
-        server start.
-       </para>
-       <para>
-        The command must print the cluster key to the standard output as
-        64 hexadecimal characters, and exit with code 0.  The command
-        can prompt for the passphrase or PIN from the terminal if
-        <option>--authprompt</option> is used.  In the parameter value,
-        <literal>%R</literal> represents the file descriptor number opened
-        to the terminal that started the server.  A file descriptor is only
-        available if enabled at server start.  If <literal>%R</literal>
-        is used and no file descriptor is available, the server will not
-        start.  Value <literal>%p</literal> is replaced by a pre-defined
-        prompt string.  Value <literal>%d</literal> is replaced by the
-        directory containing the keys;  this is useful if the command
-        must create files with the keys, e.g., to store a cluster-level
-        key encryped by a key stored in a hardware security module.
-        (Write <literal>%%</literal> for a literal <literal>%</literal>.)
-        Note that the prompt string will probably contain whitespace,
-        so be sure to quote its use adequately.  Newlines are stripped
-        from the end of the output if present.
-       </para>
-       <para>
-        This parameter can only be set by
-        <application>initdb</application>, in the
-        <filename>postgresql.conf</filename> file, or on the server
-        command line.
-       </para>
-      </listitem>
-     </varlistentry>
-    </variablelist>
-   </sect1>
-
    <sect1 id="runtime-config-client">
     <title>Client Connection Defaults</title>
 
@@ -9685,22 +9637,6 @@ dynamic_library_path = 'C:\tools\postgresql;H:\my_project\lib;$libdir'
       </listitem>
      </varlistentry>
 
-     <varlistentry id="guc-file-encryption-keylen" xreflabel="file_encryption_keylen">
-      <term><varname>file_encryption_keylen</varname> (<type>boolean</type>)
-      <indexterm>
-       <primary>Cluster file encryption key length</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        Reports the bit length of the cluster file
-        encryption key, or zero if disabled.  See <xref
-        linkend="app-initdb-cluster-key-command"/> for more
-        information.
-       </para>
-      </listitem>
-     </varlistentry>
-
      <varlistentry id="guc-data-directory-mode" xreflabel="data_directory_mode">
       <term><varname>data_directory_mode</varname> (<type>integer</type>)
       <indexterm>
diff --git a/doc/src/sgml/database-encryption.sgml b/doc/src/sgml/database-encryption.sgml
deleted file mode 100644
index 82bc137a61f..00000000000
--- a/doc/src/sgml/database-encryption.sgml
+++ /dev/null
@@ -1,97 +0,0 @@
-<!-- doc/src/sgml/database-encryption.sgml -->
-
-<chapter id="database-file-encryption">
- <title>Cluster File Encryption</title>
-
- <indexterm zone="database-file-encryption">
-  <primary>Cluster File Encryption</primary>
- </indexterm>
-
- <para>
-  The purpose of cluster file encryption is to prevent users with read
-  access to the directories used to store database files and write-ahead
-  log from being able to access the data stored in those files.
-  For example, when using cluster file encryption, users who have read
-  access to the cluster directories for backup purposes will not be able
-  to decrypt the data stored in these files.
- </para>
-
- <para>
-  Cluster file encryption uses two levels of encryption.  The first level
-  is data encryption keys, specifically keys zero and one.  Key zero is
-  the key used to encrypt database heap and index files which are stored in
-  the file system, plus temporary files created during database operation.
-  Key one is used to encrypt write-ahead log (WAL) files.  Two different
-  keys are used so that primary and standby servers can use different zero
-  (heap/index/temp) keys, but the same one (WAL) key, so that these keys
-  can eventually be rotated by switching the primary to the standby
-  and then changing the WAL key.
- </para>
-
- <para>
-  The second level of encryption is a key used to encrypt first-level
-  keys.  This type of key is often referred to as a Key Encryption Key
-  (<acronym>KEK</acronym>).  This key is <emphasis>not</emphasis> stored
-  in the file system, but provided at <command>initdb</command> time and
-  each time the server is started.  This key prevents anyone with access
-  to the database directories from decrypting the data because they do
-  not know the second-level key which encrypted the first-level keys
-  which encrypted the database cluster files.
- </para>
-
- <sect1 id="encryption-file-encryption">
-  <title>Initialization</title>
-
-  <para>
-   Cluster file encryption is enabled when
-   <productname>PostgreSQL</productname> is built
-   with <literal>--with-openssl</literal> and <xref
-   linkend="app-initdb-cluster-key-command"/> is specified
-   during <command>initdb</command>.  The cluster key
-   provided by the <option>--cluster-key-command</option>
-   option during <command>initdb</command> and the one generated
-   by <xref linkend="guc-cluster-key-command"/> in the
-   <filename>postgresql.conf</filename> must match for the database
-   cluster to start. Note that the cluster key command
-   passed to <command>initdb</command> must return a key of
-   64 hexadecimal characters. For example.
-<programlisting>
-initdb -D dbname --cluster-key-command='ckey_passphrase.sh'
-</programlisting>
-  </para>
- </sect1>
-
- <sect1 id="key-encryption-key">
-  <title>Internals</title>
-
-  <para>
-   During the <command>initdb</command> process, if
-   <option>--cluster-key-command</option> is specified, two data-level
-   encryption keys are created.   These two keys are then encrypted with
-   the key encryption key (KEK) supplied by the cluster key command before
-   being stored in the database directory.  The key or passphrase that
-   derives the key must be supplied from the terminal or stored in a
-   trusted key store, such as key vault software, hardware security module.
-  </para>
-
-  <para>
-   If the <productname>PostgreSQL</productname> server has
-   been initialized to require a cluster key, each time the
-   server starts the <filename>postgresql.conf</filename>
-   <varname>cluster_key_command</varname> command will be executed
-   and the cluster key retrieved.  The data encryption keys in the
-   <filename>pg_cryptokeys</filename> directory will then be decrypted
-   using the supplied key and integrity-checked to ensure it
-   matches the initdb-supplied key.  If this check fails, the
-   server will refuse to start.
-  </para>
-
-  <para>
-   The data encryption keys are randomly generated and are 128, 192,
-   or 256-bits in length.  They are encrypted by the key encryption key
-   (KEK) using Advanced Encryption Standard (<acronym>AES256</acronym>)
-   encryption in Galois/Counter Mode (<acronym>GCM</acronym>), which also
-   provides KEK authentication.
-  </para>
- </sect1>
-</chapter>
diff --git a/doc/src/sgml/filelist.sgml b/doc/src/sgml/filelist.sgml
index b96f4ace6cf..38e8aa0bbf9 100644
--- a/doc/src/sgml/filelist.sgml
+++ b/doc/src/sgml/filelist.sgml
@@ -49,7 +49,6 @@
 <!ENTITY wal           SYSTEM "wal.sgml">
 <!ENTITY logical-replication    SYSTEM "logical-replication.sgml">
 <!ENTITY jit    SYSTEM "jit.sgml">
-<!ENTITY database-encryption SYSTEM "database-encryption.sgml">
 
 <!-- programmer's guide -->
 <!ENTITY bgworker   SYSTEM "bgworker.sgml">
diff --git a/doc/src/sgml/installation.sgml b/doc/src/sgml/installation.sgml
index bcc80240498..0ac1cb99999 100644
--- a/doc/src/sgml/installation.sgml
+++ b/doc/src/sgml/installation.sgml
@@ -976,9 +976,8 @@ build-postgresql:
        <listitem>
         <para>
          Build with support for <acronym>SSL</acronym> (encrypted)
-         connections and cluster file encryption. This requires the
-         <productname>OpenSSL</productname> package to be installed.
-         <filename>configure</filename> will check
+         connections. This requires the <productname>OpenSSL</productname>
+         package to be installed.  <filename>configure</filename> will check
          for the required header files and libraries to make sure that
          your <productname>OpenSSL</productname> installation is sufficient
          before proceeding.
diff --git a/doc/src/sgml/postgres.sgml b/doc/src/sgml/postgres.sgml
index 0ea7da604b3..730d5fdc348 100644
--- a/doc/src/sgml/postgres.sgml
+++ b/doc/src/sgml/postgres.sgml
@@ -171,7 +171,6 @@ break is not needed in a wider output rendering.
   &wal;
   &logical-replication;
   &jit;
-  &database-encryption;
   &regress;
 
  </part>
diff --git a/doc/src/sgml/ref/allfiles.sgml b/doc/src/sgml/ref/allfiles.sgml
index 4e9504e11b6..0f0064150c4 100644
--- a/doc/src/sgml/ref/allfiles.sgml
+++ b/doc/src/sgml/ref/allfiles.sgml
@@ -189,7 +189,6 @@ Complete list of usable sgml source files in this directory.
 <!ENTITY values             SYSTEM "values.sgml">
 
 <!-- applications and utilities -->
-<!ENTITY pgalterckey        SYSTEM "pg_alterckey.sgml">
 <!ENTITY clusterdb          SYSTEM "clusterdb.sgml">
 <!ENTITY createdb           SYSTEM "createdb.sgml">
 <!ENTITY createuser         SYSTEM "createuser.sgml">
@@ -216,7 +215,7 @@ Complete list of usable sgml source files in this directory.
 <!ENTITY pgtestfsync        SYSTEM "pgtestfsync.sgml">
 <!ENTITY pgtesttiming       SYSTEM "pgtesttiming.sgml">
 <!ENTITY pgupgrade          SYSTEM "pgupgrade.sgml">
-<!ENTITY pgwaldump          SYSTEM "pg_waldump.sgml">
+<!ENTITY pgwaldump         SYSTEM "pg_waldump.sgml">
 <!ENTITY postgres           SYSTEM "postgres-ref.sgml">
 <!ENTITY postmaster         SYSTEM "postmaster.sgml">
 <!ENTITY psqlRef            SYSTEM "psql-ref.sgml">
diff --git a/doc/src/sgml/ref/initdb.sgml b/doc/src/sgml/ref/initdb.sgml
index d994f407faa..385ac251506 100644
--- a/doc/src/sgml/ref/initdb.sgml
+++ b/doc/src/sgml/ref/initdb.sgml
@@ -163,17 +163,6 @@ PostgreSQL documentation
       </listitem>
      </varlistentry>
 
-     <varlistentry id="app-initdb-cluster-key-command" xreflabel="cluster key command">
-      <term><option>--cluster-key-command=<replaceable class="parameter">command</replaceable></option></term>
-      <listitem>
-       <para>
-        This option specifies an external command to obtain the cluster-level
-        key for cluster file encryption during server initialization and
-        server start;  see <xref linkend="guc-cluster-key-command"/> for details.
-       </para>
-      </listitem>
-     </varlistentry>
-
      <varlistentry>
       <term><option>-D <replaceable class="parameter">directory</replaceable></option></term>
       <term><option>--pgdata=<replaceable class="parameter">directory</replaceable></option></term>
@@ -234,18 +223,6 @@ PostgreSQL documentation
       </listitem>
      </varlistentry>
 
-     <varlistentry id="app-initdb-file-encryption-keylen"
-      xreflabel="file encryption">
-      <term><option>-K <replaceable class="parameter">length</replaceable></option></term>
-      <term><option>--file-encryption-keylen=<replaceable class="parameter">length</replaceable></option></term>
-      <listitem>
-       <para>
-        Specifies the number of bits for the file encryption keys.  The
-        default is 128 bits.
-       </para>
-      </listitem>
-     </varlistentry>
-
      <varlistentry>
       <term><option>--locale=<replaceable>locale</replaceable></option></term>
       <listitem>
@@ -309,17 +286,6 @@ PostgreSQL documentation
      </varlistentry>
 
      <varlistentry>
-      <term><option>-R</option></term>
-      <term><option>--authprompt</option></term>
-      <listitem>
-       <para>
-        Allows the <option>--cluster-key-command</option> command
-        to prompt for a passphrase or PIN.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry>
       <term><option>-S</option></term>
       <term><option>--sync-only</option></term>
       <listitem>
@@ -342,18 +308,6 @@ PostgreSQL documentation
      </varlistentry>
 
      <varlistentry>
-      <term><option>-u <replaceable>datadir</replaceable></option></term>
-      <term><option>--copy-encryption-keys=<replaceable>datadir</replaceable></option></term>
-      <listitem>
-       <para>
-        Copies cluster file encryption keys from another cluster; required
-        when using <application>pg_upgrade</application> on a cluster
-        with cluster file encryption enabled.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry>
       <term><option>-U <replaceable class="parameter">username</replaceable></option></term>
       <term><option>--username=<replaceable class="parameter">username</replaceable></option></term>
       <listitem>
diff --git a/doc/src/sgml/ref/pg_alterckey.sgml b/doc/src/sgml/ref/pg_alterckey.sgml
deleted file mode 100644
index f80946dcc6d..00000000000
--- a/doc/src/sgml/ref/pg_alterckey.sgml
+++ /dev/null
@@ -1,197 +0,0 @@
-<!--
-doc/src/sgml/ref/pg_alterckey.sgml
-PostgreSQL documentation
--->
-
-<refentry id="app-pg_alterckey">
- <indexterm zone="app-pg_alterckey">
-  <primary>pg_alterckey</primary>
- </indexterm>
-
- <refmeta>
-  <refentrytitle><application>pg_alterckey</application></refentrytitle>
-  <manvolnum>1</manvolnum>
-  <refmiscinfo>Application</refmiscinfo>
- </refmeta>
-
- <refnamediv>
-  <refname>pg_alterckey</refname>
-  <refpurpose>alter the <productname>PostgreSQL</productname> cluster key</refpurpose>
- </refnamediv>
-
- <refsynopsisdiv>
-  <cmdsynopsis>
-   <command>pg_alterckey</command>
-
-   <group choice="plain">
-    <arg choice="plain"><option>-R</option></arg>
-    <arg choice="plain"><option>--authprompt</option></arg>
-   </group>
-
-   <arg choice="plain">
-    <replaceable class="parameter">old_cluster_key_command</replaceable>
-    <replaceable class="parameter">new_cluster_key_command</replaceable>
-   </arg>
-
-   <arg choice="opt">
-    <group choice="plain">
-     <arg choice="plain"><option>-D</option></arg>
-     <arg choice="plain"><option>--pgdata</option></arg>
-    </group>
-    <replaceable class="parameter">datadir</replaceable>
-   </arg>
-
-  </cmdsynopsis>
-
-  <cmdsynopsis>
-   <command>pg_alterckey</command>
-
-   <group choice="opt">
-    <arg choice="plain"><option>-R</option></arg>
-    <arg choice="plain"><option>--authprompt</option></arg>
-   </group>
-
-   <group choice="plain">
-    <arg choice="plain"><option>-r</option></arg>
-    <arg choice="plain"><option>--repair</option></arg>
-   </group>
-
-   <arg choice="opt">
-    <group choice="opt">
-     <arg choice="plain"><option>-D</option></arg>
-     <arg choice="plain"><option>--pgdata</option></arg>
-    </group>
-    <replaceable class="parameter">datadir</replaceable>
-   </arg>
-
-  </cmdsynopsis>
- </refsynopsisdiv>
-
- <refsect1 id="r1-app-pg_alterckey-1">
-  <title>Description</title>
-  <para>
-   <command>pg_alterckey</command> alters the cluster key used
-   for cluster file encryption.  The cluster key is initially set
-   during <xref linkend="app-initdb"/>.  The command can be run while the
-   server is running or stopped.  The new password must be used the next
-   time the server is started.
-  </para>
-
-  <para>
-   Technically, <command>pg_alterckey</command> changes the key
-   encryption key (<acronym>KEK</acronym>) which encrypts the data
-   encryption keys;  it does not change the data encryption keys.  It does
-   this by decrypting each data encryption key using the <replaceable
-   class="parameter">old_cluster_key_command</replaceable>,
-   re-encrypting it using the <replaceable
-   class="parameter">new_cluster_key_command</replaceable>, and
-   then writes the result back to the cluster directory.
-  </para>
-
-  <para>
-   See the <xref linkend="app-initdb"/> documentation for how to define
-   the old and new passphrase commands.  You can use different executables
-   for these commands, or you can use the same executable with different
-   arguments to specify retrieval of the old or new key.
-  </para>
-
-  <para>
-   When started, <command>pg_alterckey</command> repairs any files that
-   remain from previous <command>pg_alterckey</command> failures before
-   altering the cluster key.  To perform only the repair task,
-   use the <option>--repair</option> option.  The server will not start
-   if repair is needed, though a running server is unaffected by an
-   unrepaired cluster key configuration.
-  </para>
-
-  <para>
-   You can specify the data directory on the command line, or use
-   the environment variable <envar>PGDATA</envar>.
-  </para>
- </refsect1>
-
- <refsect1>
-  <title>Options</title>
-
-   <para>
-    <variablelist>
-     <varlistentry>
-      <term><option>-R</option></term>
-      <term><option>--authprompt</option></term>
-      <listitem>
-       <para>
-        Allows the <option>old_cluster_key_command</option> and
-        <option>new_cluster_key_command</option> commands
-        to prompt for a passphrase or PIN.
-       </para>
-      </listitem>
-     </varlistentry>
-    </variablelist>
-   </para>
-
-   <para>
-    Other options:
-
-    <variablelist>
-     <varlistentry>
-       <term><option>-V</option></term>
-       <term><option>--version</option></term>
-       <listitem>
-       <para>
-       Print the <application>pg_alterckey</application> version and exit.
-       </para>
-       </listitem>
-     </varlistentry>
-
-     <varlistentry>
-       <term><option>-?</option></term>
-       <term><option>--help</option></term>
-       <listitem>
-       <para>
-       Show help about <application>pg_alterckey</application> command line
-       arguments, and exit.
-       </para>
-       </listitem>
-     </varlistentry>
-
-    </variablelist>
-   </para>
-
- </refsect1>
-
- <refsect1>
-  <title>Environment</title>
-
-  <variablelist>
-   <varlistentry>
-    <term><envar>PGDATA</envar></term>
-
-    <listitem>
-     <para>
-      Default data directory location
-     </para>
-    </listitem>
-   </varlistentry>
-
-   <varlistentry>
-    <term><envar>PG_COLOR</envar></term>
-    <listitem>
-     <para>
-      Specifies whether to use color in diagnostic messages. Possible values
-      are <literal>always</literal>, <literal>auto</literal> and
-      <literal>never</literal>.
-     </para>
-    </listitem>
-   </varlistentry>
-  </variablelist>
- </refsect1>
-
- <refsect1>
-  <title>See Also</title>
-
-  <simplelist type="inline">
-   <member><xref linkend="app-initdb"/></member>
-  </simplelist>
- </refsect1>
-
-</refentry>
diff --git a/doc/src/sgml/ref/pg_ctl-ref.sgml b/doc/src/sgml/ref/pg_ctl-ref.sgml
index 0662ae051a3..3946fa52eab 100644
--- a/doc/src/sgml/ref/pg_ctl-ref.sgml
+++ b/doc/src/sgml/ref/pg_ctl-ref.sgml
@@ -38,7 +38,6 @@ PostgreSQL documentation
    <arg choice="opt"><option>-s</option></arg>
    <arg choice="opt"><option>-o</option> <replaceable>options</replaceable></arg>
    <arg choice="opt"><option>-p</option> <replaceable>path</replaceable></arg>
-   <arg choice="opt"><option>-R</option></arg>
    <arg choice="opt"><option>-c</option></arg>
   </cmdsynopsis>
 
@@ -73,7 +72,6 @@ PostgreSQL documentation
    <arg choice="opt"><option>-t</option> <replaceable>seconds</replaceable></arg>
    <arg choice="opt"><option>-s</option></arg>
    <arg choice="opt"><option>-o</option> <replaceable>options</replaceable></arg>
-   <arg choice="opt"><option>-R</option></arg>
    <arg choice="opt"><option>-c</option></arg>
   </cmdsynopsis>
 
@@ -376,18 +374,6 @@ PostgreSQL documentation
      </varlistentry>
 
      <varlistentry>
-      <term><option>-R</option></term>
-      <term><option>--authprompt</option></term>
-      <listitem>
-       <para>
-        Allows <option>ssl_passphrase_command</option> or
-        <option>cluster_key_command</option> to prompt for a passphrase
-        or PIN.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry>
       <term><option>-s</option></term>
       <term><option>--silent</option></term>
       <listitem>
diff --git a/doc/src/sgml/ref/pgupgrade.sgml b/doc/src/sgml/ref/pgupgrade.sgml
index b1bcdb77a30..92e1d09a55c 100644
--- a/doc/src/sgml/ref/pgupgrade.sgml
+++ b/doc/src/sgml/ref/pgupgrade.sgml
@@ -168,15 +168,6 @@ PostgreSQL documentation
      </varlistentry>
 
      <varlistentry>
-      <term><option>-R</option></term>
-      <term><option>--authprompt</option></term>
-      <listitem><para>allows <option>ssl_passphrase_command</option> or
-      <option>cluster_key_command</option> to prompt for a passphrase
-      or PIN.
-      </para></listitem>
-     </varlistentry>
-
-     <varlistentry>
       <term><option>-s</option> <replaceable>dir</replaceable></term>
       <term><option>--socketdir=</option><replaceable>dir</replaceable></term>
       <listitem><para>directory to use for postmaster sockets during upgrade;
@@ -318,9 +309,7 @@ make prefix=/usr/local/pgsql.new install
      Again, use compatible <command>initdb</command>
      flags that match the old cluster. Many
      prebuilt installers do this step automatically. There is no need to
-     start the new cluster.  If upgrading a cluster that uses
-     cluster file encryption, the <command>initdb</command> option
-     <option>--copy-encryption-keys</option> must be specified.
+     start the new cluster.
     </para>
    </step>
 
@@ -849,13 +838,6 @@ psql --username=postgres --file=script.sql postgres
    is down.
   </para>
 
-  <para>
-   If the old cluster uses file encryption, the new cluster must use
-   the same keys, so <command>pg_upgrade</command> copies them to the
-   new cluster.  It is necessary to initialize the new cluster with
-   the same <varname>cluster_key_command</varname> and the same
-   file encryption key length.
-  </para>
  </refsect1>
 
  <refsect1>
diff --git a/doc/src/sgml/ref/postgres-ref.sgml b/doc/src/sgml/ref/postgres-ref.sgml
index 805da81e073..4aaa7abe1a2 100644
--- a/doc/src/sgml/ref/postgres-ref.sgml
+++ b/doc/src/sgml/ref/postgres-ref.sgml
@@ -298,19 +298,6 @@ PostgreSQL documentation
      </varlistentry>
 
      <varlistentry>
-      <term><option>-R <replaceable class="parameter">file-descriptor</replaceable></option></term>
-      <listitem>
-       <para>
-        Makes <command>postgres</command> prompt for a passphrase or PIN
-        from the specified open numeric file descriptor.  The descriptor
-        is closed after the key is read.  The file descriptor number
-        <literal>-1</literal> duplicates standard error for the terminal;
-        this is useful for single-user mode.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry>
       <term><option>-s</option></term>
       <listitem>
        <para>
diff --git a/doc/src/sgml/reference.sgml b/doc/src/sgml/reference.sgml
index fdb4e65144b..dd2bddab8c4 100644
--- a/doc/src/sgml/reference.sgml
+++ b/doc/src/sgml/reference.sgml
@@ -240,7 +240,6 @@
    </para>
   </partintro>
 
-   &pgalterckey;
    &clusterdb;
    &createdb;
    &createuser;
diff --git a/doc/src/sgml/storage.sgml b/doc/src/sgml/storage.sgml
index cdbc214a510..3234adb639f 100644
--- a/doc/src/sgml/storage.sgml
+++ b/doc/src/sgml/storage.sgml
@@ -78,11 +78,6 @@ Item
 </row>
 
 <row>
- <entry><filename>pg_cryptokeys</filename></entry>
- <entry>Subdirectory containing file encryption keys</entry>
-</row>
-
-<row>
  <entry><filename>pg_dynshmem</filename></entry>
  <entry>Subdirectory containing files used by the dynamic shared memory
   subsystem</entry>