Working with encrypted WAL files
When TDE is enabled, WAL files are encrypted. If you want to perform operations on the encrypted WAL files, you need to allow the operations to decrypt the file.
When troubleshooting with encrypted WAL files, you can use WAL command options.
Dumping a TDE-encrypted WAL file
To work with an encrypted WAL file, you need to ensure the pg_waldump utility can access the unwrap key and decrypt it. For this purpose, the utility requires awareness of three values.
Pass these values using the following options to the pg_waldump
command. Be sure to use the same values you used when initializing the TDE-enabled cluster.
--data-encryption
Specify this option if the WAL files were encrypted by transparent data encryption.
The --data-encryption
or -y
option ensures the command is aware of the encryption. Otherwise, pg_waldump
can't detect whether WAL files are encrypted.
Provide the same encryption configuration you used when initializing the TDE-enabled database cluster. For example, if you specified an AES key length during the cluster creation, you must specify it here as well. Otherwise, run the flag with no values. See Using initdb TDE options for more information.
--key-file-name=<file>
Use the --key-file-name=<file>
option to reference the file that contains the data encryption key required to decrypt the WAL file. Provide the location of the pg_encryption/key.bin
file. This file is generated when you initialize a cluster with encryption enabled.
The command can then load the data encryption key from the provided location.
--key-unwrap-command=<command>
For the --key-unwrap-command=<command>
option, provide the decryption command you specified to unwrap (decrypt) the data encryption key when initializing the TDE cluster. See Using initdb TDE options for more information.
Alternatively, you can set the PGDATAKEYUNWRAPCMD
environment variable before running the pg_waldump
command. If the --key-unwrap-command=<command>
option isn't specified,pg_waldump
falls back on PGDATAKEYUNWRAPCMD
. This cluster initialization example shows how to export an environment variable.
Example
This example uses pg_waldump
to display the WAL log of an encrypted cluster that uses openssl
to wrap the data encryption key: