Skip to content

PG-1658 Remove server key if it is the unused default key #484

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 23, 2025
Merged

PG-1658 Remove server key if it is the unused default key #484

merged 2 commits into from
Jul 23, 2025

Conversation

AndersAstrand
Copy link
Collaborator

Previously this was left behind even if the default key was deleted. Check if any WAL encryption keys exist and allow removal if there are none.

https://perconadev.atlassian.net/browse/PG-1658

We do have a bug here where we will remove the key even if it was explicitly set with pg_tde_set_server_key(), but the same is true for the database keys, so the behavior is consistent. I will report this as a bug in jira though.

@AndersAstrand
Rename helper function
c4ac164 
This function counts the number of encryption keys in the key file
associated with the given OID. Name it accordingly.

Also remove comment about only user which is no longer true.
@AndersAstrand
PG-1658 Remove server key when removing default key
218abaf 
Previously this was left behind even if the default key was deleted.
Check if any WAL encryption keys exist and allow removal if there are
none.
@codecov-commenter
Copy link

Codecov Report

Attention: Patch coverage is 88.88889% with 1 line in your changes missing coverage. Please review.

Project coverage is 83.61%. Comparing base (54d0128) to head (218abaf).
Report is 6 commits behind head on TDE_REL_17_STABLE.

❌ Your project status has failed because the head coverage (83.61%) is below the target coverage (90.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files 
@@                  Coverage Diff                  @@
##           TDE_REL_17_STABLE     #484      +/-   ##
=====================================================
+ Coverage              83.47%   83.61%   +0.13%     
=====================================================
  Files                     21       21              
  Lines                   2766     2770       +4     
  Branches                 435      436       +1     
=====================================================
+ Hits                    2309     2316       +7     
+ Misses                   371      369       -2     
+ Partials                  86       85       -1
Components Coverage Δ
access 81.88% <100.00%> (+0.77%) ⬆️
catalog 87.85% <85.71%> (-0.05%) ⬇️
common 77.77% <ø> (ø)
encryption 73.45% <ø> (ø)
keyring 73.21% <ø> (ø)
src 87.52% <100.00%> (ø)
smgr 94.85% <ø> (-0.03%) ⬇️
transam ∅ <ø> (∅)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

jeltz
jeltz approved these changes Jul 23, 2025
View reviewed changes
Copy link
Collaborator

@jeltz jeltz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice find and fix!

@AndersAstrand AndersAstrand merged commit 7491b0a into percona:TDE_REL_17_STABLE Jul 23, 2025
18 of 21 checks passed
@AndersAstrand AndersAstrand deleted the tde/remove-server-key-if-it-is-unused-default-principal-key branch July 23, 2025 11:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jeltz jeltz jeltz approved these changes

@dutow dutow Awaiting requested review from dutow dutow is a code owner

@dAdAbird dAdAbird Awaiting requested review from dAdAbird dAdAbird is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@AndersAstrand @codecov-commenter @jeltz