Postgres allows client-side SSL requests to use secret keys on hardware tokens via OpenSSL engine support. Is there an equivalent way to store the server key on a hardware token.
Similarly, is it possible to specify private keys on a hardware token for replication connections? Does the sslkey parameter of the primary_conninfo string in the recovery.conf file accept an OpenSSL Engine token key?
While I haven't tested it and haven't heard of anybody else who has, it should work. From a libpq perspective ,the replication standby is "just another client", so any parameters that work for libpq should work there.