This post was originally written in 2023 and was updated in 2025.

Encryption protects sensitive information by converting it into an unreadable format unless the correct passphrase or decryption key is supplied.

In this post, we’ll look at how to encrypt the pgBackRest repository. pgBackRest is the backup solution widely used for PostgreSQL database backups, restorations, and point-in-time recovery (PITR). The repository is where pgBackRest stores backups and WAL archives, and without encryption it can be a weak point in your security chain.

By enabling encryption, pgBackRest secures the repository using a password you provide, blocking unauthorized access to stored data.

For this walkthrough, we’ll assume pgBackRest is already installed and configured on a dedicated backup node, and set up to take backups from a remote PostgreSQL database node. The repository will be configured with a cipher type and key to demonstrate how encryption works in practice.

Set up overview:

  • Backup node: 172.20.20.20 (dummy IP)
  • Remote DB node: 172.15.15.15 (dummy IP)

1) First, generate the cipher key.

pgBackRest will use this cipher key to encrypt the pgBackRest repository.

It is important to use a long, random passphrase for the cipher key. A good way to generate one is to run: openssl rand -base64 48. (on the backup node):

2) On the backup node, add the cipher type and key parameters in the pgBackRest configuration file. /etc/pgbackrest.conf:

If you have an existing pgbackrest setup, then the existing stanza cannot be used after configuring the encryption for the repository. A new stanza needs to be created for taking the backup in the encryption-enabled repository. Using the existing stanza will result in the following error:

In the below example, the existing stanza dbtest has been used.

The pgBackRest configuration files will look like this after adding the cypher pass (key) and type.

Backup node

DB node

3) Create a new stanza (on the backup node):

4) Update the archive_command with the new stanza details on the DB node:

5) Reload the Postgres cluster (on the DB node):

6) Execute the check command.

The check command validates that pgBackRest and the archive_command setting are configured correctly for archiving and backups for the specified stanza:

7) Perform a FULL backup:

8) Perform a DIFFERENTIAL backup (optional step):

9) To check out the backup status and its details, use the info command:

Take your PostgreSQL security further

Encrypting your pgBackRest repository is one of the simplest ways to strengthen your PostgreSQL security posture. It ensures that even if backup files are exposed, the data inside remains protected. But encryption is just one piece of the bigger picture; securing PostgreSQL at scale requires a thoughtful approach to authentication, auditing, backups, and compliance.

If you’re ready to look at PostgreSQL security from every angle, check out how Percona ensures compliance and security in Percona for PostgreSQL. It highlights the most common missteps teams make and the practical steps you can take to keep your data safe.

 

How Percona for PostgreSQL Meets Compliance and Security Standards

Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments