Skip to content

PG-1603 Make pg_basebackup work with encrypted WAL #513

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 8, 2025
Merged

PG-1603 Make pg_basebackup work with encrypted WAL #513

merged 1 commit into from
Aug 8, 2025

Conversation

dAdAbird
Copy link
Member

@dAdAbird dAdAbird commented Aug 8, 2025

When WAL is streamed during the backup (default mode), it comes in unencrypted. But we need keys to encrypt it. For now, we expect that the user would put pg_tde dir containing the 1664_key and 1664_providers into the destination directory before starting the backup. And we encrypt streamed WAL according to the internal keys. No pg_tde dir means no streamed WAL encryption.

Why I created TDEXLogCryptBuffer():
stream->walmethod->ops is an interface and there are at least four implementation of the write() method which accepts a buffer as argument. I thought about using TDEXLogSmgrInitWriteReuseKey() + pipe + xlog_smgr->seg_write(), but my experiments show that it is possible for pg_basebackup to start a stream from a couple of "wal keys back", therefore reusing of the last key won't work.

@dAdAbird
Copy link
Member Author

dAdAbird commented Aug 8, 2025

Supersedes #473

@dAdAbird dAdAbird mentioned this pull request Aug 8, 2025
Closed
@codecov-commenter
Copy link

codecov-commenter commented Aug 8, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.22%. Comparing base (87c55e6) to head (cfda536).
⚠️ Report is 4 commits behind head on TDE_REL_17_STABLE.

❌ Your project status has failed because the head coverage (82.22%) is below the target coverage (90.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files 
@@                  Coverage Diff                  @@
##           TDE_REL_17_STABLE     #513      +/-   ##
=====================================================
+ Coverage              82.00%   82.22%   +0.22%     
=====================================================
  Files                     24       25       +1     
  Lines                   3162     3179      +17     
  Branches                 514      515       +1     
=====================================================
+ Hits                    2593     2614      +21     
+ Misses                   460      456       -4     
  Partials                 109      109
Components Coverage Δ
access 83.57% <93.61%> (+0.69%) ⬆️
catalog 87.61% <ø> (ø)
common 77.77% <ø> (ø)
encryption 72.97% <ø> (ø)
keyring 73.21% <ø> (ø)
src 94.15% <ø> (ø)
smgr 95.29% <ø> (ø)
transam ∅ <ø> (∅)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@dAdAbird
PG-1603 Make pg_basebackup work with encrypted WAL
cfda536 
When WAL is streamed during the backup (default mode), it comes in
unencrypted. But we need keys to encrypt it. For now, we expect that
the user would put `pg_tde` dir containing the `1664_key` and
`1664_providers` into the destination directory before starting the
backup. We encrypt the streamed WAL according to internal keys. No
`pg_tde` dir means no streamed WAL encryption.
@dAdAbird dAdAbird merged commit da899e0 into percona:TDE_REL_17_STABLE Aug 8, 2025
19 checks passed
@dAdAbird dAdAbird deleted the basebackup2 branch August 8, 2025 16:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dutow dutow dutow approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dAdAbird @codecov-commenter @dutow