Working with encrypted backup files

When TDE is enabled, backup files are encrypted. If you want to perform operations on the encrypted backup files, you need to allow the operations to decrypt the file.

Verify a backup of a TDE system

To verify an encrypted backup file, the pg_verifybackup command needs to be aware of the unwrap key. You can either pass the key for the unwrap command using the following option to the pg_verifybackup command or depend on the fallback environment variable.

--key-unwrap-command=<command>

Specifies a command to unwrap (decrypt) the data encryption key. The command must include a placeholder %p that specifies the file to read the wrapped key from. The command needs to write the unwrapped key to its standard output. If you don't specify this option, the environment variable PGDATAKEYUNWRAPCMD is used.

Use the special value - if you don't want to apply any key unwrapping command.

You must specify this option or the environment variable fallback if you're using data encryption. See Securing the data encryption key for more information.

Resynchronize timelines in a TDE system

To resynchronize an encrypted cluster with its backup, the pg_rewind command needs to be aware of the unwrap key. You can either pass the key for the unwrap command using the following option to the pg_rewind command or depend on the fallback environment variable:

--key-unwrap-command=<command>

Specifies a command to unwrap (decrypt) the data encryption key. The command must include a placeholder %p that specifies the file to read the wrapped key from. The command needs to write the unwrapped key to its standard output. If you don't specify this option, the environment variable PGDATAKEYUNWRAPCMD is used.

Use the special value - if you don't want to apply any key unwrapping command.

You must specify this option or the environment variable fallback if you're using data encryption. See Securing the data encryption key for more information.