PG-1523 Rework uninstallation documentation #486
Conversation
AndersAstrand
force-pushed
the
tde/rework-uninstallation-instructions
branch
from
e23d3d7 to
feb9ebc
Compare
This commit rearranges the uninstallation documentation and adds instructions for disabling WAL encryption.
AndersAstrand
force-pushed
the
tde/rework-uninstallation-instructions
branch
from
feb9ebc to
c843707
Compare
| To uninstall `pg_tde`, follow these steps: | ||
|
|
||
| ## 1. Drop the pg_tde extension from all databases |
There was a problem hiding this comment.
change to ## Step 1. Drop the extension from all databases and continue with Step 2... throughout
| To uninstall `pg_tde`, follow these steps: | ||
|
|
||
| ## 1. Drop the pg_tde extension from all databases | ||
|
|
||
| For all databases where the extensions is loaded you need to follow these steps. This also includes the template databases, in case `pg_tde` was previously enabled there. |
There was a problem hiding this comment.
Before uninstalling pg_tde, you must remove the extension from every database where it is loaded. This includes template databases if pg_tde was previously enabled there.
| @@ -25,6 +26,8 @@ To uninstall `pg_tde`, follow these steps: | |||
| DROP EXTENSION pg_tde; | |||
| ``` | |||
|
|
|||
| If there are any encrypted objects that were not previously decrypted or deleted, this command will fail and you have to follow the step above for these objects. | |||
There was a problem hiding this comment.
!!! note
If there are any encrypted objects that were not previously decrypted or deleted, this command will fail and you have to follow the step above for these objects.
| ## 1. Drop the pg_tde extension from all databases | ||
|
|
||
| For all databases where the extensions is loaded you need to follow these steps. This also includes the template databases, in case `pg_tde` was previously enabled there. | ||
|
|
||
| 1. Decrypt or drop encrypted tables: |
There was a problem hiding this comment.
You must clean up all encrypted tables in each database:
-
To decrypt a table, switch it back to the default storage method:
ALTER TABLE <table_name> SET ACCESS METHOD heap;
-
To discard the data**, simply drop the encrypted tables:
DROP TABLE <table_name>;
-
Remove the extension
Once all encrypted tables have been handled, drop the extension from the database:
DROP EXTENSION pg_tde;
|
|
||
| 5. Modify the `shared_preload_libraries` and remove the 'pg_tde' from it. Use the `ALTER SYSTEM` command for this purpose, or edit the configuration file. | ||
| 1. Run `ALTER SYSTEM SET pg_tde.wal_encrypt=off;` |
There was a problem hiding this comment.
(remove the numbering format)
-
Disable WAL encryption by running:
ALTER SYSTEM SET pg_tde.wal_encrypt=off;
There was a problem hiding this comment.
This is highly confusing to me. Why don't we want these steps to be numbered when the order in which they are run are critical?
The configuration change must be done before the restart. So numbered steps seems highly appropriate here?
There was a problem hiding this comment.
Agreed! Please go ahead and edit the steps in alphabetical instead of *
| !!! warning | ||
| Once `pg_tde` is removed from the `shared_preload_libraries`, reading any leftover encrypted files will fail. Removing the extension from the `shared_preload_libraries` is also possible if the extension is still installed in some databases. | ||
| Make sure to do this only if the server has no encrypted files in its data directory. | ||
| 2. Restart the `postgresql` cluster to apply the changes. |
There was a problem hiding this comment.
-
Restart the PostgreSQL cluster to apply the change:
- ....
|
|
||
| ```sh | ||
| sudo systemctl restart postgresql-17 | ||
|
|
| !!! note | ||
| Encrypted WAL pages will not be decrypted, so any postgres cluster needing to read them will need the `pg_tde` library loaded, and the WAL encryption keys used available. | ||
|
|
||
| At this point, the shared library is still loaded but inactive. Follow these steps to completely uninstall it. |
There was a problem hiding this comment.
At this point, the shared library is still loaded but no longer active. To fully uninstall pg_tde, complete the steps below.
|
|
||
| postgres=# | ||
| ``` | ||
| 2. Remove `pg_tde` from the list and apply the new setting using `ALTER SYSTEM SET shared_preload_libraries=<your list of libraries>` |
There was a problem hiding this comment.
Remove pg_tde from the list and apply the new setting using ALTER SYSTEM SET shared_preload_libraries=<your list of libraries>. For example: ...
| At this point, the shared library is still loaded but inactive. Follow these steps to completely uninstall it. | ||
|
|
||
| 1. Run `SHOW shared_preload_libraries` to view the current configuration of preloaded libraries. | ||
| Example: |
| postgres=# ALTER SYSTEM SET shared_preload_libraries=pg_stat_statements,auto_explain; | ||
| ALTER SYSTEM | ||
| postgres=# | ||
| ``` |
There was a problem hiding this comment.
space needed between ``` and !!!
| @@ -57,3 +103,16 @@ To uninstall `pg_tde`, follow these steps: | |||
| ```sh | |||
| sudo systemctl restart postgresql-17 | |||
| ``` | |||
|
|
|||
| ## 4. (optional) Cleanup | |||
There was a problem hiding this comment.
(Optional) Clean up configuration
|
|
||
| At this point it is safe to remove any configuration related to pg_tde from `postgresql.conf` and `postgresql.auto.conf`. These configuration options have the prefix `pg_tde.` | ||
|
|
||
| ## Potential issues |
There was a problem hiding this comment.
edit to ## Troubleshooting
with subtopic ### WAL encryption not disabled
There was a problem hiding this comment.
I don't understand what you want to communicate with that? The users won't know that that was the issue, they will just see the error message and this section communicates what the issue was and how to solve it.
There was a problem hiding this comment.
I understand your pov but ## Potential issues is too vague while troubleshooting might be unnecessary as you say.
Let us do this:
5. Restart error: PANIC checkpoint not found
If you see the following error when restarting the PostgreSQL cluster:
2025-04-01 17:12:50.607 CEST [496385] PANIC: could not locate a valid checkpoint record at 0/17B2580
This typically means that WAL encryption was not fully disabled before the pg_tde shared library was removed. To fix this, re-add pg_tde to shared_preload_libraries before starting the cluster, and follow the instructions for turning off WAL encryption above before uninstalling the shared library.
I believe the above version is better, it continues from the previous steps naturally and provides a specific title the user can search through the doc
| @@ -57,3 +103,16 @@ To uninstall `pg_tde`, follow these steps: | |||
| ```sh | |||
| sudo systemctl restart postgresql-17 | |||
| ``` | |||
|
|
|||
There was a problem hiding this comment.
for these last two steps below, please remove the spaces before of the paragraphs completely.
There was a problem hiding this comment.
When you say spaces here, are you talking about spaces or about empty lines?
There was a problem hiding this comment.
Yep! Just an empty line is great in between the paragraph and ```
|
Replaced by #490 |
This commit rearranges the uninstallation documentation and adds instructions for disabling WAL encryption.