Skip to content
Percona Software for PostgreSQL Documentation

For help, click the link below to get free database assistance or contact our experts for personalized support.

Get help from Percona

pg_tde_archive_decrypt

The pg_tde_archive_decrypt tool wraps an archive command and decrypts WAL files before archiving. It allows external tools to access unencrypted WAL data, which is required because WAL encryption keys in the two-key hierarchy are host-specific and may not be available on the replay host.

Tip

For more information on the encryption architecture and key hierarchy, see Architecture.

This tool is often use in conjunction with pg_tde_restore_encrypt to support WAL archive.

How it works

  1. Decrypts the WAL segment to a temporary file on a RAM disk (/dev/shm)
  2. Replaces %p and %f in the archive command with the path and name of the decrypted file
  3. Executes the archive command

Note

To ensure security, encrypt the files stored in your WAL archive using tools like PgBackRest.

Usage

pg_tde_archive_decrypt [OPTION]
pg_tde_archive_decrypt DEST-NAME SOURCE-PATH ARCHIVE-COMMAND

Parameter descriptions

  • DEST-NAME: name of the WAL file to send to the archive
  • SOURCE-PATH: path to the original encrypted WAL file
  • ARCHIVE-COMMAND: archive command to wrap. %p and %f are replaced with the decrypted WAL file path and WAL file name, respectively.

Options

  • -V, --version: show version information, then exit
  • -?, --help: show help information, then exit

Note

Any %f or %p parameter in ARCHIVE-COMMAND has to be escaped as %%f or %%p respectively if used as archive_command in postgresql.conf.

Examples

Using cp

archive_command='pg_tde_archive_decrypt %f %p "cp %%p /mnt/server/archivedir/%%f"'

Using PgBackRest

archive_command='pg_tde_archive_decrypt %f %p "pgbackrest --stanza=your_stanza archive-push %%p"'