cockroach debug encryption-decrypt

On this page Carat arrow pointing down

We strongly recommend only using cockroach debug encryption-decrypt when working directly with the Cockroach Labs support team.

The cockroach debug encryption-decrypt command decrypts store files on a node that are encrypted at rest so that they can be examined to add more context to logs gathered from the cockroach debug zip command. Unless they are decrypted, Cockroach Labs cannot examine store files that are encrypted at rest.


cockroach debug encryption-decrypt {store_directory} {input_file} {output_file} --enterprise-encryption={encryption_spec} {flags}


  • {encryption_spec}: The cluster's encryption details.
  • {store_directory}: The directory where the node stores data files.
  • {input_file}: The name of an encrypted store file.
  • {output_file}: A name for the decrypted store file. If not specified, the command will output the decrypted contents to stdout.

Run the command locally on a node. It does not support the --url flag.

After running the command, you can send the requested decrypted file to Cockroach Labs.


While the cockroach debug command has a few subcommands, users are expected to use only the zip, encryption-active-key, merge-logs, list-files, tsdump, and ballast subcommands.

We recommend using the encryption-decrypt and job-trace subcommands only when directed by the Cockroach Labs support team.

The other debug subcommands are useful only to Cockroach Labs. Output of debug commands may contain sensitive or secret information.


The debug encryption-decrypt subcommand supports the following general-use and client connection flags.


Flag Description
--timeout Return an error if the command does not conclude within a specified nonzero value. The timeout is suffixed with s (seconds), m (minutes), or h (hours). For example:


Client connection

Flag Description

The SQL user that will own the client session.

Default: root
--insecure Use an insecure connection.

Default: false
--cert-principal-map A comma-separated list of <cert-principal>:<db-principal> mappings. This allows mapping the principal in a certificate to a DB principal such as node or root or any SQL user. This is intended for use in situations where the certificate management system places restrictions on the Subject.CommonName or SubjectAlternateName fields in the certificate (e.g., disallowing a CommonName like node or root). If multiple mappings are provided for the same <cert-principal>, the last one specified in the list takes precedence. A principal not specified in the map is passed through as-is via the identity function. A certificate is allowed to authenticate a DB principal if the DB principal name is contained in the mapped CommonName or DNS-type SubjectAlternateName fields.
--certs-dir The path to the certificate directory containing the CA and client certificates and client key.

Default: ${HOME}/.cockroach-certs/


The cockroach debug encryption-decrypt command will output the decrypted store file to the specified location. If no location is specified, the decrypted contents are sent tostdout.

See also

Yes No
On this page

Yes No