Troubleshooting with encrypted WAL files

Suggest edits

You can encrypt WAL files. When troubleshooting with encrypted WAL falls, you can use WAL command options.

Dumping a TDE-encrypted WAL file

To work with an encrypted WAL file, the pg_waldump needs to be aware of the unwrap key. You can either pass the key for the unwrap command using the following options to the pg_waldump command or depend on the fallback environment variable:

--data-encryption

Consider the WAL files to encrypt, and decrypt them before processing them. You must specify this option if the WAL files were encrypted by transparent data encryption. pg_waldump can't automatically detect whether WAL files are encrypted. Optionally, specify an AES key length. Valid values are 128 and 256. The default is 128.

--key-file-name=<file>

Load the data encryption key from the given location.

--key-unwrap-command=<command>

Specifies a command to unwrap (decrypt) the data encryption key. The command must include a placeholder %p that specifies the file to read the wrapped key from. The command needs to write the unwrapped key to its standard output. If you don't specify this option, the environment variable PGDATAKEYUNWRAPCMD is used.

Use the special value - if you don't want to apply any key unwrapping command.

You must specify this option or the environment variable fallback if you're using data encryption. See Securing the data encryption key for more information.

Resetting a corrupt TDE-encrypted WAL file

To reset a corrupt encrypted WAL file, the pg_resetwal command needs to be aware of the unwrap key. You can either pass the key for the unwrap command using the following option to the pg_resetwal command or depend on the fallback environment variable:

--key-unwrap-command=<command>

Specifies a command to unwrap (decrypt) the data encryption key. The command must include a placeholder %p that specifies the file to read the wrapped key from. The command needs to write the unwrapped key to its standard output. If you don't specify this option, the environment variable PGDATAKEYUNWRAPCMD is used.

Use the special value - if you don't want to apply any key unwrapping command.

You must specify this option or the environment variable fallback if you're using data encryption. See Securing the data encryption key for more information.