wal-g
metadata not encrypted
Database name
PostgreSQL (12)
Issue description
I am a first-time wal-g user, so I apologize in advance if I have missed something obvious, or if there are fundamental reason for which metadata encryption is not doable or recommendable.
In my scenario I have configured wal-g to backup to an S3 bucket, using libsodium encryption and a base64-encoded key.
After the basebackup completes, I found in my bucket the file basebackup_005/base_[WALSEQ]/files_metadata.json, that contains in plaintext the names of all the tables in my database.
Describe your problem
Even if the actual data are encrypted, I think this behavior is undesirable as it is leaking which applications (and potentially versions) I am running on my server.
Please provide steps to reproduce
Create a basic wal-g config.yaml:
WALG_S3_PREFIX: "s3://some-s3-storage-1/"
AWS_SECRET_ACCESS_KEY: "S3_STORAGE_KEY_1"
AWS_ACCESS_KEY_ID: "S3_STORAGE_KEY_ID_1"
WALG_LIBSODIUM_KEY_TRANSFORM: "base64"
WALG_LIBSODIUM_KEY: "32bit-base64-encoded-key"
PGHOST: "/var/run/postgresql"
PGDATA: "/var/lib/postgresql/12/main"
Run a base backup:
wal-g backup-push /var/lib/postgresql/12/main
Access your S3 management interface, open the bucket and download the basebackup_005/base_[WALSEQ]/files_metadata.json file, look at its content and find table names.
Please add config and wal-g stdout/stderr logs for debug purpose
Excerpts of files_metadata.json showing a NextCloud/OwnCloud installation:
:17559,"public.oc_activity_mq_pkey":65049,"public.oc_activity_pkey":17553,"public.oc_addressbookchanges":17335,"public.oc_addressbookchanges_id_seq":17181,"public.oc_addressbookchanges_pkey":17338,"public.oc_addressbooks":17152,"public.oc_addressbooks_id_seq":17150,"public.oc_addressbooks_pkey":17164,"public.oc_announcements":152701,"public.oc_announcements_announcement_id_seq":152699,"public.oc_announcements_map":340785,"public.oc_announcements_map_id_seq":340783,"public.oc_announcements_map_pkey":340789,"public.oc_announcements_pkey":152710,"public.oc_appconfig":16413,"public.oc_appconfig_pkey":16421,"public.oc_authtoken":16873,"public.oc_authtoken_backup":583683,"public.oc_authtoken_id_seq":16602,"public.oc_authtoken_pkey":16881,"public.oc_bruteforce_attempts":16885,"public.oc_bruteforce_attempts_id_seq":16623,"public.oc_bruteforce_attempts_pkey":16893,"public.oc_calendar_invitations":17416,"public.oc_calendar_invitations_id_seq":17414,"public.oc_calendar_invitations_pkey":17424,"public.oc_calendar_reminders":17476,"public.oc_calendar_reminders_id_seq":17474,"public.oc_calendar_reminders_pkey":17483,"public.oc_calendar_resources":17378,"public.oc_calendar_resources_id_seq":17376,"public.oc_calendar_resources_md":17439,"public.oc_calendar_resources_md_id_seq":17437,"public.oc_calendar_resources_md_pkey":17447,"public.oc_calendar_resources_pkey":17390,"public.oc_calendar_rooms":17397,"public.oc_calendar_rooms_id_seq":17395,"public.oc_calendar_rooms_md":17452,"public.oc_calendar_rooms_md_id_seq":17450,"public.oc_calendar_rooms_md_pkey":17460,"public.oc_calendar_rooms_pkey":17409,"public.oc_calendarchanges":17350,"public.oc_calendarchanges_id_seq":17230,"public.oc_calendarchanges_pkey":17353,"public.oc_calendarobjects":17341,"public.oc_calendarobjects_id_seq":17192,"public.oc_calendarobjects_pkey"
