Working with encrypted WAL files

When TDE is enabled, WAL files are encrypted. If you want to perform operations on the encrypted WAL files, you need to allow the operations to decrypt the file.

When troubleshooting with encrypted WAL files, you can use WAL command options.

Dumping a TDE-encrypted WAL file

To work with an encrypted WAL file, you need to ensure the pg_waldump utility can access the unwrap key and decrypt it. For this purpose, the utility requires awareness of three values.

Pass these values using the following options to the pg_waldump command. Be sure to use the same values you used when initializing the TDE-enabled cluster.

--data-encryption

Specify this option if the WAL files were encrypted by transparent data encryption.

The --data-encryption or -y option ensures the command is aware of the encryption. Otherwise, pg_waldump can't detect whether WAL files are encrypted.

Provide the same encryption configuration you used when initializing the TDE-enabled database cluster. For example, if you specified an AES key length during the cluster creation, you must specify it here as well. Otherwise, run the flag with no values. See Using initdb TDE options for more information.

--key-file-name=<file>

Use the --key-file-name=<file> option to reference the file that contains the data encryption key required to decrypt the WAL file. Provide the location of the pg_encryption/key.bin file. This file is generated when you initialize a cluster with encryption enabled.

The command can then load the data encryption key from the provided location.

--key-unwrap-command=<command>

For the --key-unwrap-command=<command> option, provide the decryption command you specified to unwrap (decrypt) the data encryption key when initializing the TDE cluster. See Using initdb TDE options for more information.

Alternatively, you can set the PGDATAKEYUNWRAPCMD environment variable before running the pg_waldump command. If the --key-unwrap-command=<command> option isn't specified,pg_waldump falls back on PGDATAKEYUNWRAPCMD. This cluster initialization example shows how to export an environment variable.

Example

This example uses pg_waldump to display the WAL log of an encrypted cluster that uses openssl to wrap the data encryption key:

pg_waldump --data-encryption --key-file-name=pg_encryption/key.bin \
  --key-unwrap-command='openssl enc -d -aes-128-cbc -pbkdf2 -pass pass:<passphrase> -in "%p"'

Resetting a corrupt TDE-encrypted WAL file

To reset a corrupt encrypted WAL file, you must ensure the pg_resetwal command can access the unwrap key and decrypt it. You can either pass the key for the unwrap command using the following option to the pg_resetwal command or depend on the fallback environment variable.

--key-unwrap-command=<command>

For the --key-unwrap-command=<command> option, provide the decryption command you specified to unwrap (decrypt) the data encryption key when initializing the TDE cluster. See Using initdb TDE options for more information.

Alternatively, you can set the PGDATAKEYUNWRAPCMD environment variable before running the pg_resetwal command. If the --key-unwrap-command=<command> option isn't specified, pg_resetwal falls back on PGDATAKEYUNWRAPCMD. This cluster initialization example shows how to export an environment variable.

Example

This example uses pg_resetwal to reset a corrupt encrypted WAL log of an encrypted cluster that uses openssl to wrap the data encryption key:

pg_resetwal --key-unwrap-command='openssl enc -d -aes-128-cbc -pbkdf2 -pass pass:<passphrase> -in" "%p"'