Working with encrypted backup files
When TDE is enabled, backup files are encrypted. If you want to perform operations on the encrypted backup files, you need to allow the operations to decrypt the file.
Verify a backup of a TDE system
To verify an encrypted backup file, the pg_verifybackup command needs to be aware of the unwrap key. You can either pass the key for the unwrap command using the following option to the pg_verifybackup
command or depend on the fallback environment variable.
--key-unwrap-command=<command>
Specifies a command to unwrap (decrypt) the data encryption key. The command must include a placeholder %p
that specifies the file to read the wrapped key from. The command needs to write the unwrapped key to its standard output. If you don't specify this option, the environment variable PGDATAKEYUNWRAPCMD
is used.
Use the special value -
if you don't want to apply any key unwrapping command.
You must specify this option or the environment variable fallback if you're using data encryption. See Securing the data encryption key for more information.
Resynchronize timelines in a TDE system
To resynchronize an encrypted cluster with its backup, the pg_rewind command needs to be aware of the unwrap key. You can either pass the key for the unwrap command using the following option to the pg_rewind
command or depend on the fallback environment variable:
--key-unwrap-command=<command>
Specifies a command to unwrap (decrypt) the data encryption key. The command must include a placeholder %p
that specifies the file to read the wrapped key from. The command needs to write the unwrapped key to its standard output. If you don't specify this option, the environment variable PGDATAKEYUNWRAPCMD
is used.
Use the special value -
if you don't want to apply any key unwrapping command.
You must specify this option or the environment variable fallback if you're using data encryption. See Securing the data encryption key for more information.