Skip to content

PG-1710 Create helpers for decrypting/encrypting archived WAL #487

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: TDE_REL_17_STABLE
Choose a base branch
from
Open

PG-1710 Create helpers for decrypting/encrypting archived WAL #487

wants to merge 3 commits into from

Conversation

jeltz
Copy link
Collaborator

@jeltz jeltz commented Jul 25, 2025
edited
Loading

To support some common WAL archiving tools, e.g. PgBackRest, we implement an archive_command and a restore_command which can wrap any command and use pipe() to create fake file to either read from or write to. The restore command makes sure to write encrypted files if WAL encryption is enabled. It uses the fresh WAL key generated by the server on the current start which works fine because we then just let the first invocation of the restore command set the start LSN of the key.

For e.g. PgBackRest you would have the following commands:

  archive_command = 'pg_tde_archive_decrypt %p pgbackrest --stanza=demo archive-push %p'
  restore_command = 'pg_tde_restore_encrypt %f %p pgbackrest --stanza=demo archive-get %f "%p"'

An alternative if we want to make sure to use system() like archive_command and restore_command it would instead be, but feels a bit risky since people would have to remember to do %% for it to work.

  archive_command = 'pg_tde_archive_decrypt %p "pgbackrest --stanza=demo archive-push %%p"'
  restore_command = 'pg_tde_restore_encrypt %f %p "pgbackrest --stanza=demo archive-get %%f \"%%p\""'

@jeltz jeltz requested review from dutow and dAdAbird as code owners July 25, 2025 02:28
@jeltz jeltz force-pushed the tde/archive-restore-helpers branch from 5dc0f74 to 6c75dba Compare July 25, 2025 02:28
@jeltz
Copy link
Collaborator Author

jeltz commented Jul 25, 2025

I am aware documentation us missing but I want some early feedback so that I don't waste more time if this is wrong.

@jeltz jeltz force-pushed the tde/archive-restore-helpers branch from 6c75dba to 39cdf06 Compare July 25, 2025 02:36
@codecov-commenter
Copy link

Codecov Report

Attention: Patch coverage is 63.97849% with 67 lines in your changes missing coverage. Please review.

Project coverage is 82.48%. Comparing base (a329aeb) to head (39cdf06).

❌ Your project status has failed because the head coverage (82.48%) is below the target coverage (90.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files 
@@                  Coverage Diff                  @@
##           TDE_REL_17_STABLE     #487      +/-   ##
=====================================================
- Coverage              83.68%   82.48%   -1.20%     
=====================================================
  Files                     21       24       +3     
  Lines                   2771     2964     +193     
  Branches                 435      484      +49     
=====================================================
+ Hits                    2319     2445     +126     
- Misses                   368      421      +53     
- Partials                  84       98      +14
Components Coverage Δ
access 81.17% <0.00%> (-1.10%) ⬇️
catalog 87.85% <ø> (ø)
common 77.77% <ø> (ø)
encryption 73.45% <ø> (ø)
keyring 73.21% <ø> (ø)
src 94.15% <ø> (+6.59%) ⬆️
smgr 94.88% <ø> (+0.02%) ⬆️
transam ∅ <ø> (∅)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

jeltz added 3 commits July 25, 2025 04:51
@jeltz
PG-1710 Move binaries into src/bin
5bedab2 
Now that we will soon be adding more bianries having them at the top
level only makes things confusing for developers.
@jeltz
Fix typo in commented out code
e00b653
@jeltz
PG-1710 Create helpers for decrypting/encrypting archived WAL
de83a64 
To support some common WAL archiving tools, e.g. PgBackRest, we
implement an archive_command and a restore_command which can wrap any
command and use pipe() to create fake file to either read from or write
to. The restore command makes sure to write encrypted files if WAL
encryption is enabled. It uses the fresh WAL key generated by the server
on the current start which works fine because we then just let the first
invocation of the restore command set the start LSN of the key.

For e.g. PgBackRest you would have the following commands:

  archive_command = 'pg_tde_archive_decrypt %p pgbackrest --stanza=demo archive-push %p'
  restore_command = 'pg_tde_restore_encrypt %f %p pgbackrest --stanza=demo archive-get %f "%p"'
@jeltz jeltz force-pushed the tde/archive-restore-helpers branch from 39cdf06 to de83a64 Compare July 25, 2025 02:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dutow dutow Awaiting requested review from dutow dutow is a code owner

@dAdAbird dAdAbird Awaiting requested review from dAdAbird dAdAbird is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jeltz @codecov-commenter