Skip to content

PG-2240 Add pg_upgrade support for encrypted tables#522

Open
jeltz wants to merge 2 commits intopercona:mainfrom
jeltz:pg-upgrade-fix
Open

PG-2240 Add pg_upgrade support for encrypted tables#522
jeltz wants to merge 2 commits intopercona:mainfrom
jeltz:pg-upgrade-fix

Conversation

@jeltz
Copy link
Collaborator

@jeltz jeltz commented Mar 10, 2026

To safely run pg_upgrade with SMGR encryption enabled people need to first copy the data directory and then we have changed pg_tde so that it no longer overwrites or deletes keys when ran in binary upgrade mode.

Encrypted WAL is still not supported in pg_upgrade and it may also make sense to write a script which automates copying the pg_tde directory.

@codecov-commenter
Copy link

codecov-commenter commented Mar 10, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 60.14%. Comparing base (f9d8a53) to head (73fae64).
⚠️ Report is 1 commits behind head on main.

❌ Your project status has failed because the head coverage (60.14%) is below the target coverage (90.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #522      +/-   ##
==========================================
+ Coverage   60.06%   60.14%   +0.08%     
==========================================
  Files          68       68              
  Lines       10677    10680       +3     
  Branches     1835     1837       +2     
==========================================
+ Hits         6413     6424      +11     
+ Misses       3557     3552       -5     
+ Partials      707      704       -3
Components Coverage Δ
access 84.49% <ø> (+0.34%) ⬆️
catalog 87.93% <ø> (ø)
common 77.77% <ø> (ø)
encryption 73.94% <ø> (ø)
keyring 74.28% <ø> (ø)
src 93.23% <ø> (ø)
smgr 94.14% <100.00%> (+0.08%) ⬆️
transam ∅ <ø> (∅)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@AndersAstrand
Copy link
Collaborator

AndersAstrand commented Mar 10, 2026
edited
Loading

Looks like #include <miscadmin.h> needs to be moved outside the #if PG_VERSION_NUM >= 180000 for this to work with 17.

Also the commit message is a little hard to read. Which "data directory" needs to be copied? I think the actual behavior change here needs to be presented first, and then we can talk about the added test and why the pg_tde/ directory (not the data directory) needs to be copied in it.

I don't think we should make assertions on the "cp" command, it should be assumed to work imho.

jeltz added 2 commits March 10, 2026 20:34
@jeltz
PG-2240 Add pg_upgrade support for encrypted tables
3a3295d 
To safely run pg_upgrade with SMGR encryption enabled people need to
first copy the data directory and then we have changed pg_tde so that it
no longer overwrites or deletes keys when ran in binary upgrade mode.

Encrypted WAL is still not supported in pg_upgrade and it may also make
sense to write a script which automates copying the pg_tde directory.
@jeltz
WIP: PG-2240 Add test for pg_upgrade with encrypted WAL
73fae64 
The test is partially included to showcase the steps necessary to
get pg_upgrade working with encrypted WAL.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jeltz @codecov-commenter @AndersAstrand