I will look more closely at keydb (thanks for the heads-up) but will that work with encrypted media? My understanding was that another rtpengine could not reliably take over an encrypted session as there is no mechanism for sharing the DTLS handshake/connection.

DTLS is indeed a problem as the state of a DTLS connection cannot be serialised and restored after a restart or on a different node. The SRTP flow itself should be able to be restored or migrated to another node, as the SRTP keys are extracted from the DTLS connection after the handshake completes, and so the DTLS connection itself isn't required to be intact for SRTP to flow. However, if the remote peer decides to do subsequent DTLS handshakes or a rekeying etc, then things would start breaking. What exactly would happen in such a case is probably implementation dependent.

Cheers