cockroach debug encryption-decrypt

On this page Carat arrow pointing down
Warning:
GA releases for CockroachDB v23.1 are no longer supported. Cockroach Labs will stop providing LTS Assistance Support for v23.1 LTS releases on November 13, 2025. Prior to that date, upgrade to a more recent version to continue receiving support. For more details, refer to the Release Support Policy.
Warning:

We strongly recommend only using cockroach debug encryption-decrypt when working directly with the Cockroach Labs support team.

The cockroach debug encryption-decrypt command decrypts store files on a node that are encrypted at rest so that they can be examined to add more context to logs gathered from the cockroach debug zip command. Unless they are decrypted, Cockroach Labs cannot examine store files that are encrypted at rest.

Synopsis

cockroach debug encryption-decrypt {store_directory} {input_file} {output_file} --enterprise-encryption={encryption_spec} {flags}

Replace:

  • {encryption_spec}: The cluster's encryption details.
  • {store_directory}: The directory where the node stores data files.
  • {input_file}: The name of an encrypted store file.
  • {output_file}: A name for the decrypted store file. If not specified, the command will output the decrypted contents to stdout.

Run the command locally on a node. It does not support the --url flag.

After running the command, you can send the requested decrypted file to Cockroach Labs.

Subcommands

While the cockroach debug command has a few subcommands, users are expected to use only the zip, encryption-active-key, merge-logs, list-files, tsdump, and ballast subcommands.

We recommend using the encryption-decrypt and job-trace subcommands only when directed by the Cockroach Labs support team.

The other debug subcommands are useful only to Cockroach Labs. Output of debug commands may contain sensitive or secret information.

Flags

The debug encryption-decrypt subcommand supports the following general-use and client connection flags.

General

Flag Description
--timeout Return an error if the command does not conclude within a specified nonzero value. The timeout is suffixed with s (seconds), m (minutes), or h (hours). For example:

--timeout=2m

Client connection

Flag Description
--user

-u
The SQL user that will own the client session.

Env Variable: COCKROACH_USER
Default: root
--insecure Use an insecure connection.

Env Variable: COCKROACH_INSECURE
Default: false
--cert-principal-map A comma-separated list of <cert-principal>:<db-principal> mappings. This allows mapping the principal in a certificate to a DB principal such as node or root or any SQL user. This is intended for use in situations where the certificate management system places restrictions on the Subject.CommonName or SubjectAlternateName fields in the certificate (e.g., disallowing a CommonName like node or root). If multiple mappings are provided for the same <cert-principal>, the last one specified in the list takes precedence. A principal not specified in the map is passed through as-is via the identity function. A certificate is allowed to authenticate a DB principal if the DB principal name is contained in the mapped CommonName or DNS-type SubjectAlternateName fields.
--certs-dir The path to the certificate directory containing the CA and client certificates and client key.

Env Variable: COCKROACH_CERTS_DIR
Default: ${HOME}/.cockroach-certs/

Files

The cockroach debug encryption-decrypt command will output the decrypted store file to the specified location. If no location is specified, the decrypted contents are sent tostdout.

See also


Yes No
On this page

Yes No