open-dsi
/
postgres
mirror of https://github.com/postgres/postgres
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
60680 Commits
38 Branches
662 Tags
731 MiB
Tag: Branch: Tree: 89f5000235
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '89f5000235'
${ noResults }
postgres/contrib/pg_tde/documentation/docs/how-to/backup-wal-enabled.md

78 lines
3.4 KiB
Raw Normal View History Unescape

PG-1858 Document backing up with WAL with encrypt enabled (#534) - add new topic called # Backing up with WAL encryption enabled - add two suptopics for other wal methods and restore backup created with wal encrypt - reword to short form option flags
3 weeks ago
# Backup with WAL encryption enabled
To create a backup with WAL encryption enabled:
1. Copy the `pg_tde` directory from the source server’s data directory, for example `/var/lib/postgresql/data/pg_tde/`, including the `wal_keys` and `1664_providers` files, to the backup destination directory where `pg_basebackup` will write the backup.
Also copy any external files referenced by your providers configuration (such as certificate or key files) into the same relative paths under the backup destination, so that they are located and validated by `pg_basebackup -E`.
2. Run:
```bash
pg_basebackup -D /path/to/backup -E
```
Where:
Update WAL backup topic regarding TAR not supporting `-X stream` when WAL encryption is enabled (#548) - renamed title, reorg content for easier scanning - turned into note the `pg_tde/wal_keys` at the end
3 weeks ago
- `-D /path/to/backup` specifies the backup location where you have to copy `pg_tde`.
- `-E` (or `--encrypt-wal`) enables WAL encryption and validates that the copied `pg_tde` and provider files are present and that the server key is accessible (required).
PG-1858 Document backing up with WAL with encrypt enabled (#534) - add new topic called # Backing up with WAL encryption enabled - add two suptopics for other wal methods and restore backup created with wal encrypt - reword to short form option flags
3 weeks ago
!!! note
- The `-E` flag only works with the `-X stream` option (default). It is not compatible with `-X none` or `-X fetch`. For more information, see [the other WAL methods topic](#other-wal-methods).
- The `-E` flag is only supported with the plain output format (`-F p`). It cannot be used with the tar output format (`-F t`).
Add information regarding key rotation during backups for pg_basebackup making servers fail to start (#550) - add as known issue in release notes - fix a broken link in features.md (not related to issue...) - add to global key providers a warning about keyring provider with WAL encrypt - add new subtopic in Backup WAL about key rotations during backups for file-based key providers Based on PG-1895 description.
2 weeks ago
## Key rotation during backups
!!! warning
Do not rotate SMGR or WAL encryption keys while `pg_basebackup` is running. Standbys or standalone clusters created from such backups may fail to start during WAL replay.
Rotations during a base backup can leave the standby in an inconsistent state where it cannot retrieve the correct key history.
For example, you may see errors such as:
```sql
FATAL: failed to retrieve principal key "database_keyXXXX" from key provider "providerYYYY"
CONTEXT: WAL redo at ... ROTATE_PRINCIPAL_KEY ...
```
To ensure standby recoverability, plan key rotations outside backup windows or take a new full backup after rotation completes.
PG-1858 Document backing up with WAL with encrypt enabled (#534) - add new topic called # Backing up with WAL encryption enabled - add two suptopics for other wal methods and restore backup created with wal encrypt - reword to short form option flags
3 weeks ago
## Restore a backup created with WAL encryption
When you want to restore a backup created with `pg_basebackup -E`:
1. Ensure all external files referenced by your providers configuration (such as certificates or key files) are also present and accessible at the same relative paths.
2. Start PostgreSQL with the restored data directory.
Update WAL backup topic regarding TAR not supporting `-X stream` when WAL encryption is enabled (#548) - renamed title, reorg content for easier scanning - turned into note the `pg_tde/wal_keys` at the end
3 weeks ago
## Backup method compatibility with WAL encryption
PG-1858 Document backing up with WAL with encrypt enabled (#534) - add new topic called # Backing up with WAL encryption enabled - add two suptopics for other wal methods and restore backup created with wal encrypt - reword to short form option flags
3 weeks ago
Update WAL backup topic regarding TAR not supporting `-X stream` when WAL encryption is enabled (#548) - renamed title, reorg content for easier scanning - turned into note the `pg_tde/wal_keys` at the end
3 weeks ago
Tar format (`-F t`):
PG-1858 Document backing up with WAL with encrypt enabled (#534) - add new topic called # Backing up with WAL encryption enabled - add two suptopics for other wal methods and restore backup created with wal encrypt - reword to short form option flags
3 weeks ago
Update WAL backup topic regarding TAR not supporting `-X stream` when WAL encryption is enabled (#548) - renamed title, reorg content for easier scanning - turned into note the `pg_tde/wal_keys` at the end
3 weeks ago
* Works with `-X fetch`.
* Does not support `-X stream` when WAL encryption is enabled. Using `pg_basebackup -F t -X stream` will create a broken replica.
PG-1858 Document backing up with WAL with encrypt enabled (#534) - add new topic called # Backing up with WAL encryption enabled - add two suptopics for other wal methods and restore backup created with wal encrypt - reword to short form option flags
3 weeks ago
Update WAL backup topic regarding TAR not supporting `-X stream` when WAL encryption is enabled (#548) - renamed title, reorg content for easier scanning - turned into note the `pg_tde/wal_keys` at the end
3 weeks ago
Streaming mode (`-X stream`):
PG-1858 Document backing up with WAL with encrypt enabled (#534) - add new topic called # Backing up with WAL encryption enabled - add two suptopics for other wal methods and restore backup created with wal encrypt - reword to short form option flags
3 weeks ago
Update WAL backup topic regarding TAR not supporting `-X stream` when WAL encryption is enabled (#548) - renamed title, reorg content for easier scanning - turned into note the `pg_tde/wal_keys` at the end
3 weeks ago
* **Must** specify `-E` (`--encrypt-wal`).
* Without `-E`, backups may contain decrypted WAL while `wal_encryption=on` remains in `postgresql.conf` and `pg_tde/wal_keys` are copied. This leads to **startup failures and compromised data in the backup**.
Fetch mode (`-X fetch`):
* Compatible with encrypted WAL without requiring any additional flags.
None (`-X none`):
* Excludes WAL from the backup and is unaffected by WAL encryption.
!!! note
If the source server has `pg_tde/wal_keys`, running `pg_basebackup` with `-X none` or `-X fetch` produces warnings such as:
```sql
pg_basebackup: warning: the source has WAL keys, but no WAL encryption configured for the target backups
pg_basebackup: detail: This may lead to exposed data and broken backup
pg_basebackup: hint: Run pg_basebackup with -E to encrypt streamed WAL
```
You can safely ignore the warnings with `-X none` or `-X fetch`, since no WAL streaming occurs.