We strongly recommend only using cockroach debug encryption-decrypt when working directly with the Cockroach Labs support team.
The cockroach debug encryption-decrypt command decrypts store files on a node that are encrypted at rest so that they can be examined to add more context to logs gathered from the cockroach debug zip command. Unless they are decrypted, Cockroach Labs cannot examine store files that are encrypted at rest.
Synopsis
cockroach debug encryption-decrypt {store_directory} {input_file} {output_file} --enterprise-encryption={encryption_spec} {flags}
Replace:
{encryption_spec}: The cluster's encryption details.{store_directory}: The directory where the node stores data files.{input_file}: The name of an encrypted store file.{output_file}: A name for the decrypted store file. If not specified, the command will output the decrypted contents tostdout.
Run the command locally on a node. It does not support the --url flag.
After running the command, you can send the requested decrypted file to Cockroach Labs.
Subcommands
While the cockroach debug command has a few subcommands, users are expected to use only the zip, encryption-active-key, merge-logs, list-files, tsdump, and ballast subcommands.
We recommend using the encryption-decrypt and job-trace subcommands only when directed by the Cockroach Labs support team.
The other debug subcommands are useful only to Cockroach Labs. Output of debug commands may contain sensitive or secret information.
Flags
The debug encryption-decrypt subcommand supports the following general-use and client connection flags.
General
| Flag | Description |
|---|---|
--timeout |
Return an error if the command does not conclude within a specified nonzero value. The timeout is suffixed with s (seconds), m (minutes), or h (hours). For example:--timeout=2m |
Client connection
| Flag | Description |
|---|---|
--user-u |
The SQL user that will own the client session. Env Variable: COCKROACH_USERDefault: root |
--insecure |
Use an insecure connection. Env Variable: COCKROACH_INSECUREDefault: false |
--cert-principal-map |
A comma-separated list of <cert-principal>:<db-principal> mappings. This allows mapping the principal in a certificate to a DB principal such as node or root or any SQL user. This is intended for use in situations where the certificate management system places restrictions on the Subject.CommonName or SubjectAlternateName fields in the certificate (e.g., disallowing a CommonName like node or root). If multiple mappings are provided for the same <cert-principal>, the last one specified in the list takes precedence. A principal not specified in the map is passed through as-is via the identity function. A certificate is allowed to authenticate a DB principal if the DB principal name is contained in the mapped CommonName or DNS-type SubjectAlternateName fields. |
--certs-dir |
The path to the certificate directory containing the CA and client certificates and client key. Env Variable: COCKROACH_CERTS_DIRDefault: ${HOME}/.cockroach-certs/ |
Files
The cockroach debug encryption-decrypt command will output the decrypted store file to the specified location. If no location is specified, the decrypted contents are sent tostdout.
See also
Was this helpful?
