From d683a489e31135f2cc5d280e37d09685b7ec58c4 Mon Sep 17 00:00:00 2001 From: Andrew Pogrebnoy Date: Mon, 25 Aug 2025 20:42:29 +0300 Subject: [PATCH] Fix possible _keys file loss during key rotation There is no reason to do durable_unlink before durable_rename. Rename can handle existing file. But with this sequence, the cluster may endup in unrecoverable state should server crash in-between this two ops, as there is going to be no "_keys" at all. The current sequence may also cause an issue the backup: , , . And no "_keys" file in the backup as the result. --- contrib/pg_tde/src/access/pg_tde_tdemap.c | 3 +-- contrib/pg_tde/src/access/pg_tde_xlog_keys.c | 5 ++--- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/contrib/pg_tde/src/access/pg_tde_tdemap.c b/contrib/pg_tde/src/access/pg_tde_tdemap.c index 1a9e118771c49..082a9ad8f2fd5 100644 --- a/contrib/pg_tde/src/access/pg_tde_tdemap.c +++ b/contrib/pg_tde/src/access/pg_tde_tdemap.c @@ -297,10 +297,9 @@ pg_tde_perform_rotate_key(const TDEPrincipalKey *principal_key, const TDEPrincip CloseTransientFile(new_fd); /* - * Do the final steps - replace the current _map with the file with new + * Do the final step - replace the current _keys with the file with new * data */ - durable_unlink(old_path, ERROR); durable_rename(new_path, old_path, ERROR); /* diff --git a/contrib/pg_tde/src/access/pg_tde_xlog_keys.c b/contrib/pg_tde/src/access/pg_tde_xlog_keys.c index 4c14625e0080f..f1c64aa5a32b2 100644 --- a/contrib/pg_tde/src/access/pg_tde_xlog_keys.c +++ b/contrib/pg_tde/src/access/pg_tde_xlog_keys.c @@ -718,10 +718,9 @@ pg_tde_perform_rotate_server_key(const TDEPrincipalKey *principal_key, CloseTransientFile(new_fd); /* - * Do the final steps - replace the current WAL key file with the file - * with new data. + * Do the final step - replace the current WAL key file with the file with + * new data. */ - durable_unlink(get_wal_key_file_path(), ERROR); durable_rename(tmp_path, get_wal_key_file_path(), ERROR); /*