open-dsi
/
postgres
mirror of https://github.com/postgres/postgres
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

PG-1858 Document backing up with WAL with encrypt enabled (#534)

Browse Source 
- add new topic called # Backing up with WAL encryption enabled
- add two suptopics for other wal methods and restore backup created with wal encrypt
- reword to short form option flags
pull/238/head
Dragos Andriciuc 3 weeks ago committed by GitHub
parent 307b33d656
commit acaddab9ab
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 45 additions and 0 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 44
      contrib/pg_tde/documentation/docs/how-to/backup-wal-enabled.md
  2. 1
      contrib/pg_tde/documentation/mkdocs.yml

44
contrib/pg_tde/documentation/docs/how-to/backup-wal-enabled.md
Unescape View File

@ -0,0 +1,44 @@
# Backup with WAL encryption enabled
To create a backup with WAL encryption enabled:
1. Copy the `pg_tde` directory from the source server’s data directory, for example `/var/lib/postgresql/data/pg_tde/`, including the `wal_keys` and `1664_providers` files, to the backup destination directory where `pg_basebackup` will write the backup.
Also copy any external files referenced by your providers configuration (such as certificate or key files) into the same relative paths under the backup destination, so that they are located and validated by `pg_basebackup -E`.
2. Run:
```bash
pg_basebackup -D /path/to/backup -E
```
Where:
- `-D /path/to/backup` specifies the backup location where you have to copy `pg_tde`
- `-E` (or `--encrypt-wal`) enables WAL encryption and validates that the copied `pg_tde` and provider files are present and that the server key is accessible (required)
!!! note
- The `-E` flag only works with the `-X stream` option (default). It is not compatible with `-X none` or `-X fetch`. For more information, see [the other WAL methods topic](#other-wal-methods).
- The `-E` flag is only supported with the plain output format (`-F p`). It cannot be used with the tar output format (`-F t`).
## Restore a backup created with WAL encryption
When you want to restore a backup created with `pg_basebackup -E`:
1. Ensure all external files referenced by your providers configuration (such as certificates or key files) are also present and accessible at the same relative paths.
2. Start PostgreSQL with the restored data directory.
## Other WAL methods
The `-X fetch` option works with encrypted WAL without requiring any additional flags.
The `-X none` option excludes WAL from the backup and is unaffected by WAL encryption.
If the source server has `pg_tde/wal_keys`, running `pg_basebackup` with `-X none` or `-X fetch` produces warnings such as:
```sql
pg_basebackup: warning: the source has WAL keys, but no WAL encryption configured for the target backups
pg_basebackup: detail: This may lead to exposed data and broken backup
pg_basebackup: hint: Run pg_basebackup with -E to encrypt streamed WAL
```
You can safely ignore these warnings when using `-X none` or `-X fetch`, since in both cases WAL is not streamed.

1
contrib/pg_tde/documentation/mkdocs.yml
Unescape View File

@ -204,6 +204,7 @@ nav:
- "Configure Multi-tenancy": how-to/multi-tenant-setup.md - "Configure Multi-tenancy": how-to/multi-tenant-setup.md
- "Encryption Enforcement": how-to/enforcement.md - "Encryption Enforcement": how-to/enforcement.md
- "Decrypt an Encrypted Table": how-to/decrypt.md - "Decrypt an Encrypted Table": how-to/decrypt.md
- "Backup with WAL encryption enabled": how-to/backup-wal-enabled.md
- "Restore an encrypted pg_tde backup": how-to/restore-backups.md - "Restore an encrypted pg_tde backup": how-to/restore-backups.md
- faq.md - faq.md
- "Release notes": - "Release notes":

Write Preview
Loading…
Cancel
Save