Our recommendation is that both primary and standby are encrypted. However, running
with an encrypted primary and a non-encrypted standby is supported, but only for enabling
Native encryption in existing setup without complete outage.(i.e. Online implementation)
It’s not intended to be a long term solution.
if we enforced that both primary and standby had to be encrypted, you would not be able to
use this online method of enabling encryption. You’d have to shutdown both primary and
standby (whole system offline), enable encryption, and then bring the system back up.
In general it will work, but there may be edge cases come up that run into trouble, such as
if the standby need to read an archived transaction log file (not a shipped replay log)
that is encrypted, but it does not have access to the keystore.
Also practically we need to keep both Primary and standby as Encrypted to maintain security.