Troubleshooting with encrypted WAL files
You can encrypt WAL files. When troubleshooting with encrypted WAL falls, you can use WAL command options.
Dumping a TDE-encrypted WAL file
To work with an encrypted WAL file, the pg_waldump needs to be aware of the unwrap key. You can either pass the key for the unwrap command using the following options to the pg_waldump
command or depend on the fallback environment variable:
--data-encryption
Consider the WAL files to encrypt, and decrypt them before processing them. You must specify this option if the WAL files were encrypted by transparent data encryption. pg_waldump
can't automatically detect whether WAL files are encrypted. Optionally specify an AES key length. Valide values are 128 and 256. The default is 128.
--key-file-name=<file>
Load the data encryption key from the given location.
--key-unwrap-command=<command>
Specifies a command to unwrap (decrypt) the data encryption key. The command must include a placeholder %p
that specifies the file to read the wrapped key from. The command needs to write the unwrapped key to its standard output. If you don't specify this option, the environment variable PGDATAKEYUNWRAPCMD
is used.
Use the special value -
if you don't want to apply any key unwrapping command.
You must specify this option or the environment variable fallback if you're using data encryption. See Securing the data encryption key for more information.
Resetting a corrupt TDE-encrypted WAL file
To reset a corrupt encrypted WAL file, the pg_resetwal command needs to be aware of the unwrap key. You can either pass the key for the unwrap command using the following option to the pg_resetwal
command or depend on the fallback environment variable:
--key-unwrap-command=<command>
Specifies a command to unwrap (decrypt) the data encryption key. The command must include a placeholder %p
that specifies the file to read the wrapped key from. The command needs to write the unwrapped key to its standard output. If you don't specify this option, the environment variable PGDATAKEYUNWRAPCMD
is used.
Use the special value -
if you don't want to apply any key unwrapping command.
You must specify this option or the environment variable fallback if you're using data encryption. See Securing the data encryption key for more information.