Unable to restore encrypted backups in 7.x

By providing --encryption-key-file to fdbbackup, I have been able to create encrypted backups in AWS S3. I generated this key using openssl rand 32 > key.

However, when attempting to restore those backups using fdbrestore with --encryption-key-file pointed to the same key, I am unable to begin the restore process. The initial error is:

ERROR: HTTP response code not received or indicated failure

Upon digging further with --knob_http_verbose_level=3, the error is:

-- RESPONSE CONTENT--
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>InvalidRange</Code><Message>The requested range is not satisfiable</Message><RangeRequested>bytes=4096-8191</RangeRequested><ActualObjectSize>14</ActualObjectSize><RequestId>[REDACTED_REQUEST_ID]</RequestId><HostId>[REDACTED_HOST_ID]</HostId></Error>

Where it seems the restore process requested: Request Header: Range: bytes=4096-8191 of log_end_version, where S3 previously informed the process it only has Reponse Header: Content-Length: 14. In some instances, the same type of error (requesting more bytes than are available) occurs for mutation_log_type rather than log_end_version.

This problem does not occur when the --encryption-key-file flag is not present.

I have observed this behaviour in 7.1.65, 7.3.37 and 7.3.57.

Has anyone managed to successfully backup and restore data simply using --encryption-key-file? If so, I would be grateful if you could provide the commands used to start the backup as well as the restore.

You are on the bleeding edge! :sweat_smile: The --encryption-key-file is a community contributed feature that we haven’t really tested/used.

1 Like

I see! I took from all the activity from 2020-2021 that this was merged in and supported Add --encryption_key_file command line argument to fdbbackup and fdbr… · apple/foundationdb@f5aa3df · GitHub

This feature would be valuable right now - again curious if anyone is actively using it. Perhaps the Snowflake team as they seem to have added this?