Wal Fetch Encryption: Securing WAL Archives with GPG and PGP

Storing WAL archives unencrypted in cloud storage exposes sensitive database information to unauthorized access. WAL-G's wal-fetch supports OpenPGP-standard encryption so that all WAL files stored in S3, GCS, or Azure are encrypted at rest, and automatically decrypted during wal-fetch recovery operations.

To enable encryption, generate a PGP key pair and configure the public key via WALG_PGP_KEY (for wal-push) and the private key via the same variable (for wal-fetch). WAL-G automatically uses the public key to encrypt during archiving and the private key to decrypt during wal-fetch retrieval.

Key path configuration: instead of embedding the key in environment variables, set WALG_PGP_KEY_PATH to the filesystem path of your PGP key file. This is preferred in production environments where environment variables may be logged.

Passphrase protection: if your private key is passphrase-protected, set WALG_PGP_KEY_PASSPHRASE to allow WAL-G to decrypt the key automatically during wal-fetch operations without manual input.

Envelope PGP key management: for organizations using Key Management Systems (KMS), WAL-G supports WALG_ENVELOPE_PGP_KEY for KMS-managed encryption. Currently, Yandex Cloud KMS is supported, with the PGP key encrypted by KMS and base64-encoded.

Security best practice: rotate your PGP keys periodically and re-encrypt stored WAL archives with the new key. Always test wal-fetch decryption with the new key before decommissioning the old one to avoid recovery failures.

“Encrypted wal fetch ensures that even if your cloud storage is compromised, your database WAL archives remain unreadable without the private key.”