-
Notifications
You must be signed in to change notification settings - Fork 208
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Manual decryption of backup files #2361
Comments
Hi, It really depends on what you want to do exactly. Data files are totally useless without the recovery being performed, replaying wal activity from the archives to at least make the data consistent. So the easiest way to get a data directory decrypted and ready for the recovery is to use the Different level of encryption are applied and if you only need to recover 1 specific file. You could look at the source code to sort this out, or you can simply use the |
@pgstef Thanks for the quick reply. Ideally I'd like to have a way to decrypt stuff even in the circumstances where I don't have pgbackrest at hand (at all or the exact required version). |
The Regards, |
You can do this with the following command:
Note that if you want to decrypt and use your backups manually you'll need to use only full backups (or use There may be other options that I'm not thinking of that would prevent you from manually restoring a backup. You'll need to test your method thoroughly to be sure it works. |
@dwsteele That openssl line didn't work for me. I must be missing something. |
You didn't give us the settings you are using for backup, or the command you are trying to run, or the error -- so not a lot we can do to help. |
Sorry for not being explicit enough. I've only set
So I assumed key is derived in pgbackrest since the encryption filter besides the mode (enc/dec) accepts only 2 args. That's how I came up with the line in the issue description where I used the |
The key to pass to -k or -kfile is the same value you provide to
You must set it explicitly. |
I mean it's the default in pgbackrest.conf and yes, I pass I think I'll abandon this approach. Maybe after all it's easier and cleaner to ensure the pgbackrest binary is around anywhere I may need it. Thanks for your help! |
Looks to me like something is missing from your build of
That will be quite a bit easier -- and safer. |
Since a backup is just a copy of PG data directory I'd like to find a way to use a copy of that, after decryption and decompression, as is. However I don't seem to find anything related in docs.
I tried something like
openssl enc -d -${MY_CIPHER_TYPE} -kfile ${MY_PASS_FILE} -in ${SOME_ZST_FILE_FROM_BACKUP} -out output -pbkdf2
which resulted inbad decrypt
. Tried supplying the password both as is in config and base64 decoded.What approach should I take?
Thanks!
The text was updated successfully, but these errors were encountered: