We strongly recommend only using cockroach debug encryption-decrypt
when working directly with the Cockroach Labs support team.
The cockroach debug encryption-decrypt
command decrypts store files on a node that are encrypted at rest so that they can be examined to add more context to logs gathered from the cockroach debug zip
command. Unless they are decrypted, Cockroach Labs cannot examine store files that are encrypted at rest.
Synopsis
cockroach debug encryption-decrypt {store_directory} {input_file} {output_file} --enterprise-encryption={encryption_spec} {flags}
Replace:
{encryption_spec}
: The cluster's encryption details.{store_directory}
: The directory where the node stores data files.{input_file}
: The name of an encrypted store file.{output_file}
: A name for the decrypted store file. If not specified, the command will output the decrypted contents tostdout
.
Run the command locally on a node. It does not support the --url
flag.
After running the command, you can send the requested decrypted file to Cockroach Labs.
Subcommands
While the cockroach debug
command has a few subcommands, users are expected to use only the zip
, encryption-active-key
, merge-logs
, list-files
, tsdump
, and ballast
subcommands.
We recommend using the encryption-decrypt
and job-trace
subcommands only when directed by the Cockroach Labs support team.
The other debug
subcommands are useful only to Cockroach Labs. Output of debug
commands may contain sensitive or secret information.
Flags
The debug encryption-decrypt
subcommand supports the following general-use and client connection flags.
General
Flag | Description |
---|---|
--timeout |
Return an error if the command does not conclude within a specified nonzero value. The timeout is suffixed with s (seconds), m (minutes), or h (hours). For example:--timeout=2m |
Client connection
Flag | Description |
---|---|
--user -u |
The SQL user that will own the client session. Env Variable: COCKROACH_USER Default: root |
--insecure |
Use an insecure connection. Env Variable: COCKROACH_INSECURE Default: false |
--cert-principal-map |
A comma-separated list of <cert-principal>:<db-principal> mappings. This allows mapping the principal in a certificate to a DB principal such as node or root or any SQL user. This is intended for use in situations where the certificate management system places restrictions on the Subject.CommonName or SubjectAlternateName fields in the certificate (e.g., disallowing a CommonName like node or root ). If multiple mappings are provided for the same <cert-principal> , the last one specified in the list takes precedence. A principal not specified in the map is passed through as-is via the identity function. A certificate is allowed to authenticate a DB principal if the DB principal name is contained in the mapped CommonName or DNS-type SubjectAlternateName fields. |
--certs-dir |
The path to the certificate directory containing the CA and client certificates and client key. Env Variable: COCKROACH_CERTS_DIR Default: ${HOME}/.cockroach-certs/ |
Files
The cockroach debug encryption-decrypt
command will output the decrypted store file to the specified location. If no location is specified, the decrypted contents are sent tostdout
.