Skip to main content
We strongly recommend only using cockroach debug encryption-decrypt when working directly with the .
The command decrypts store files on a node that are so that they can be examined to add more context to logs gathered from the command. Unless they are decrypted, Cockroach Labs cannot examine store files that are encrypted at rest.

Synopsis

Replace:
  • : The cluster’s .
  • : The directory where the node .
  • : The name of an encrypted store file.
  • : A name for the decrypted store file. If not specified, the command will output the decrypted contents to stdout.
Run the command locally on a node. It does not support the --url flag. After running the command, you can send the requested decrypted file to Cockroach Labs.

Subcommands

While the cockroach debug command has a few subcommands, users are expected to use only the , , , , , and subcommands. We recommend using the and subcommands only when directed by the . The other debug subcommands are useful only to Cockroach Labs. Output of debug commands may contain sensitive or secret information.

Flags

The debug encryption-decrypt subcommand supports the following general-use and client connection flags.

General

FlagDescription
--timeoutReturn an error if the command does not conclude within a specified nonzero value. The timeout is suffixed with s (seconds), m (minutes), or h (hours). For example:

--timeout=2m

Client connection

FlagDescription
--user

-u
The that will own the client session.

Env Variable: COCKROACH_USER
Default: root
--insecureUse an insecure connection.

Env Variable: COCKROACH_INSECURE
Default: false
--cert-principal-mapA comma-separated list of <cert-principal:<db-principal mappings. This allows mapping the principal in a certificate to a DB principal such as node or root or any SQL user. This is intended for use in situations where the certificate management system places restrictions on the Subject.CommonName or SubjectAlternateName fields in the certificate (e.g., disallowing a CommonName like node or root). If multiple mappings are provided for the same <cert-principal, the last one specified in the list takes precedence. A principal not specified in the map is passed through as-is via the identity function. A certificate is allowed to authenticate a DB principal if the DB principal name is contained in the mapped CommonName or DNS-type SubjectAlternateName fields.
--certs-dirThe path to the containing the CA and client certificates and client key.

Env Variable: COCKROACH_CERTS_DIR
Default: ${HOME}/.cockroach-certs/

Files

The cockroach debug encryption-decrypt command will output the decrypted store file to the specified location. If no location is specified, the decrypted contents are sent tostdout.

See also