Add documentation for cockroach debug encryption-status

jon (jonstjohn) commented:

Documentation for the command cockroach debug encryption-status should be added to the official docs.

Two outstanding defects make it the only way that users can check encryption status of a store in 21.2:

https://github.com/cockroachdb/cockroach/issues/81367
- This causes an error in the DB Console UI when checking the store status. This is one of the methods for checking encryption status in the official docs.
- It is fixed and back-ported to 22.1 but the issue still exists in versions of 21.2 (reproduced in 21.2.10).
https://github.com/cockroachdb/cockroach/issues/74331
- A recommended alternative to using the DB Console UI is to use the command cockroach debug encryption-active-key. This command has its own docs page but is currently broken.

The suggested work-around is to use the cockroach debug encryption-status command. This command does not appear in the official docs and has two requirements that are not readily apparent:

The cockroach process must be stopped before running the command. If it is not first stopped, it produced the cryptic error ERROR: resource temporarily unavailable.
The command must include the --enterprise-encryption flag with the key parameter set to the current encryption key. The old-key parameter seems like it can be set to any valid key or plain.

An example of this command properly formatted is:

cockroach debug encryption-status --enterprise-encryption=path=/mnt/data1/cockroach,key=/home/ubuntu/aes-256.key,old-key=aes-256.key /mnt/data1/cockroach

This produces a report of the current encryption status, including currently active and past store keys, as well as data keys.

Providing documentation on this command will give users the information they need to check the status of their encrypted stores in 21.2 and other versions.

Jira Issue: DOC-3820

cockroachdb / docs

Add documentation for cockroach debug encryption-status #14039