Fujitsu Enterprise Postgres enables you to use the five backup and recovery methods described below. Regardless of the method you use, you must back up the keystore at the same time.
Note that you must store the database and the keystore on separate data storage media. Storing both on the same data storage medium risks the danger of the encrypted data being deciphered if the medium is stolen.
Backup and recovery using WebAdmin
Backup
WebAdmin backs up encrypted data.
Back up the key store after backing up the database.
Recovery
Restore the keystore to its state at the time of database backup. Refer to "5.6.4 Backing Up and Recovering the Keystore" for details.
Enable automatic opening of the keystore in accordance with the procedure described in "5.6.3 Enabling Automatic Opening of the Keystore". Then, use WebAdmin to recover the database.
Backup and recovery using the pgx_dmpall and pgx_rcvall commands
Backup
The pgx_dmpall command backs up the encrypted data.
Back up the key store after backing up the database.
Recovery
Restore the keystore to its state at the time of the database backup.
Configure automatic opening of the key store as necessary.
If automatic opening of the keystore is not enabled, execute the pgx_rcvall command with the --keystore-passphrase option specified. This will display the prompt for the passphrase to be entered.
Example
Back up the database and the keystore on March 1, 2022.
> pgx_dmpall -D /database/inst1 > cp -p /key/store/location/keystore.ks /keybackup/keystore_20220301.ks
Specify the following in the pgx_dmpall command:
Specify the data storage destination in the -D option. If the -D option is omitted, the value of the PGDATA environment variable is used by default.
Recover the database and the keystore from the backup taken on March 1, 2022.
> cp -p /keybackup/keystore_20220301.ks /key/store/location/keystore.ks > pgx_keystore --enable-auto-open /key/store/location/keystore.ks (Execute only when enabling automatic opening) > pgx_rcvall -B /backup/inst1 -D /database/inst1 --keystore-passphrase
Specify the following in the pgx_rcvall command:
Specify the data storage destination in the -D option. If the -D option is omitted, the value of the PGDATA environment variable is used by default.
Specify the backup data storage directory in the -B option.
The --keystore-passphrase option prompts you to enter the passphrase to open the keystore.
Dump and restore using SQL
Backup
The files output by the pg_dump and pg_dumpall commands are not encrypted. You should, therefore, encrypt the files using OpenSSL commands or other means before saving them, as described in "5.8 Importing and Exporting the Database" below.
Back up the key store after backing up the database.
Restore
If the backup data has been encrypted using, for example Open SSL commands, decrypt that data.
The data generated by the pg_dumpall command includes a specification to encrypt tablespaces by default. For this reason, the psql command encrypts tablespaces during restoration.
File system level backup and restore
Backup
Stop the instance and backup the data directory and the tablespace directory using the file copy command of the operating system. The files of encrypted tablespaces are backed up in the encrypted state.
Back up the key store after performing the backup.
Restore
Restore the keystore to its state at the time of the database backup.
Stop the instance and restore the data directory and the tablespace directory using the file copy command of the operating system.
Continuous archiving and point-in-time recovery
Backup
The pg_basebackup command backs up the encrypted data as is.
Back up the key store after performing the backup.
Recovery
Restore the keystore to its state at the time of the database backup.
Configure automatic opening of the key store as necessary.
If automatic opening of the keystore is not enabled, execute the pg_ctl command to start the instance with the --keystore-passphrase option specified. This will display the prompt for the passphrase to be entered.
See
Refer to "pg_ctl" under "Reference" in the PostgreSQL Documentation for information on the pg_ctl command.
Refer to "Reference" in the PostgreSQL Documentation for information on the following commands:
psql
pg_dump
pg_basebackup
Refer to the Reference for information on the following commands:
pgx_rcvall
pgx_dmpall
pg_dumpall
If you have restored the keystore, repeat the process of enabling automatic opening of the keystore This ensures that the contents of the automatically opening keystore (keystore.aks) are identical to the contents of the restored keystore.
Refer to "5.6.3 Enabling Automatic Opening of the Keystore" for information on how to enable automatic opening of the keystore.
