percona · jeltz · May 22, 2026
diff --git a/t/change_key_provider.pl b/t/change_key_provider.pl
@@ -2,97 +2,116 @@
 
 use strict;
 use warnings;
-use File::Basename;
 use File::Copy;
+use PostgreSQL::Test::Cluster;
+use PostgreSQL::Test::Utils;
 use Test::More;
 use lib 't';
-use pgtde;
 
-PGTDE::setup_files_dir(basename($0));
+my ($stdout, $stderr);
 
-unlink('/tmp/change_key_provider_1.per');
-unlink('/tmp/change_key_provider_2.per');
+my $keydir = PostgreSQL::Test::Utils::tempdir;
 
 my $node = PostgreSQL::Test::Cluster->new('main');
 $node->init;
 $node->append_conf('postgresql.conf', "shared_preload_libraries = 'pg_tde'");
 $node->start;
 
-PGTDE::psql($node, 'postgres', 'CREATE EXTENSION pg_tde;');
+$node->safe_psql('postgres', 'CREATE EXTENSION pg_tde;');
 
-PGTDE::psql($node, 'postgres',
-	"SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/change_key_provider_1.per');"
-);
-PGTDE::psql($node, 'postgres',
-	"SELECT * FROM pg_tde_list_all_database_key_providers();");
-PGTDE::psql($node, 'postgres',
-	"SELECT pg_tde_create_key_using_database_key_provider('test-key', 'file-vault');"
-);
-PGTDE::psql($node, 'postgres',
-	"SELECT pg_tde_set_key_using_database_key_provider('test-key', 'file-vault');"
-);
+$node->safe_psql(
+	'postgres', qq(
+	SELECT pg_tde_add_database_key_provider_file('file-vault', '$keydir/1.keys');
+	SELECT pg_tde_create_key_using_database_key_provider('test-key', 'file-vault');
+	SELECT pg_tde_set_key_using_database_key_provider('test-key', 'file-vault');
+));
 
-PGTDE::psql($node, 'postgres',
-	'CREATE TABLE test_enc (id serial, k integer, PRIMARY KEY (id)) USING tde_heap;'
-);
-PGTDE::psql($node, 'postgres', 'INSERT INTO test_enc (k) VALUES (5), (6);');
-
-PGTDE::psql($node, 'postgres', "SELECT pg_tde_verify_key();");
-PGTDE::psql($node, 'postgres', "SELECT pg_tde_is_encrypted('test_enc');");
-PGTDE::psql($node, 'postgres', 'SELECT * FROM test_enc ORDER BY id;');
+$stdout = $node->safe_psql('postgres',
+	"SELECT * FROM pg_tde_list_all_database_key_providers();");
+is( $stdout,
+	qq(1|file-vault|file|{"path" : "$keydir/1.keys"}),
+	'can list providers');
+
+$node->safe_psql(
+	'postgres', q(
+	CREATE TABLE test_enc (id serial, k integer, PRIMARY KEY (id)) USING tde_heap;
+	INSERT INTO test_enc (k) VALUES (5), (6);
+));
+
+$node->safe_psql('postgres', "SELECT pg_tde_verify_key();");
+$stdout =
+  $node->safe_psql('postgres', "SELECT pg_tde_is_encrypted('test_enc');");
+is($stdout, 't', 'relation is encrypted');
+$stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id;');
+is($stdout, "1|5\n2|6", 'relation can be read');
 
 # Change provider and move file
-PGTDE::append_to_result_file(
-	"-- mv /tmp/change_key_provider_1.per /tmp/change_key_provider_2.per");
-move('/tmp/change_key_provider_1.per', '/tmp/change_key_provider_2.per');
-PGTDE::psql($node, 'postgres',
-	"SELECT pg_tde_change_database_key_provider_file('file-vault', '/tmp/change_key_provider_2.per');"
+move("$keydir/1.keys", "$keydir/2.keys");
+$node->safe_psql('postgres',
+	"SELECT pg_tde_change_database_key_provider_file('file-vault', '$keydir/2.keys');"
 );
-PGTDE::psql($node, 'postgres',
+
+$stdout = $node->safe_psql('postgres',
 	"SELECT * FROM pg_tde_list_all_database_key_providers();");
+is( $stdout,
+	qq(1|file-vault|file|{"path" : "$keydir/2.keys"}),
+	'can list providers');
 
-PGTDE::psql($node, 'postgres', "SELECT pg_tde_verify_key();");
-PGTDE::psql($node, 'postgres', "SELECT pg_tde_is_encrypted('test_enc');");
-PGTDE::psql($node, 'postgres', 'SELECT * FROM test_enc ORDER BY id;');
+$node->safe_psql('postgres', "SELECT pg_tde_verify_key();");
+$stdout =
+  $node->safe_psql('postgres', "SELECT pg_tde_is_encrypted('test_enc');");
+is($stdout, 't', 'relation is still encrypted');
+$stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id;');
+is($stdout, "1|5\n2|6", 'relation can still be read');
 
-PGTDE::append_to_result_file("-- server restart");
 $node->restart;
 
-PGTDE::psql($node, 'postgres', "SELECT pg_tde_verify_key();");
-PGTDE::psql($node, 'postgres', "SELECT pg_tde_is_encrypted('test_enc');");
-PGTDE::psql($node, 'postgres', 'SELECT * FROM test_enc ORDER BY id;');
+$node->safe_psql('postgres', "SELECT pg_tde_verify_key();");
+$stdout =
+  $node->safe_psql('postgres', "SELECT pg_tde_is_encrypted('test_enc');");
+is($stdout, 't', 'relation is encrypted after restart');
+$stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id;');
+is($stdout, "1|5\n2|6", 'relation can be read after restart');
 
 # Move file, restart and then change provider
-PGTDE::append_to_result_file(
-	"-- mv /tmp/change_key_provider_2.per /tmp/change_key_provider_1.per");
-move('/tmp/change_key_provider_2.per', '/tmp/change_key_provider_1.per');
+move("$keydir/2.keys", "$keydir/1.keys");
 
-PGTDE::append_to_result_file("-- server restart");
 $node->restart;
 
-PGTDE::psql($node, 'postgres', "SELECT pg_tde_verify_key();");
-PGTDE::psql($node, 'postgres', "SELECT pg_tde_is_encrypted('test_enc');");
-PGTDE::psql($node, 'postgres', 'SELECT * FROM test_enc ORDER BY id;');
-
-PGTDE::psql($node, 'postgres',
-	"SELECT pg_tde_change_database_key_provider_file('file-vault', '/tmp/change_key_provider_1.per');"
+$stderr = ($node->psql('postgres', "SELECT pg_tde_verify_key();"))[2];
+like(
+	$stderr,
+	qr/ERROR:  key "test-key" not found in key provider "file-vault"/,
+	'verificaiton fails after we have moved the key');
+$stdout =
+  $node->safe_psql('postgres', "SELECT pg_tde_is_encrypted('test_enc');");
+is($stdout, 't', 'encryption check does not require a key');
+$stderr = ($node->psql('postgres', 'SELECT * FROM test_enc ORDER BY id;'))[2];
+like(
+	$stderr,
+	qr/ERROR:  key "test-key" not found in key provider "file-vault"/,
+	'reading relation fails after we have moved the key');
+
+# Restore the key provider
+$node->safe_psql('postgres',
+	"SELECT pg_tde_change_database_key_provider_file('file-vault', '$keydir/1.keys');"
 );
-PGTDE::psql($node, 'postgres',
+
+$stdout = $node->safe_psql('postgres',
 	"SELECT * FROM pg_tde_list_all_database_key_providers();");
+is( $stdout,
+	qq(1|file-vault|file|{"path" : "$keydir/1.keys"}),
+	'can list providers');
 
-PGTDE::psql($node, 'postgres', "SELECT pg_tde_verify_key();");
-PGTDE::psql($node, 'postgres', "SELECT pg_tde_is_encrypted('test_enc');");
-PGTDE::psql($node, 'postgres', 'SELECT * FROM test_enc ORDER BY id;');
+$node->safe_psql('postgres', "SELECT pg_tde_verify_key();");
+$stdout =
+  $node->safe_psql('postgres', "SELECT pg_tde_is_encrypted('test_enc');");
+is($stdout, 't', 'relation is encrypted after restoring provider');
+$stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id;');
+is($stdout, "1|5\n2|6", 'relation can be read after restoring provider');
 
-PGTDE::psql($node, 'postgres', 'DROP EXTENSION pg_tde CASCADE;');
+$node->safe_psql('postgres', 'DROP EXTENSION pg_tde CASCADE;');
 
 $node->stop;
 
-# Compare the expected and out file
-my $compare = PGTDE->compare_results();
-
-is($compare, 0,
-	"Compare Files: $PGTDE::expected_filename_with_path and $PGTDE::out_filename_with_path files."
-);
-
 done_testing();
diff --git a/t/expected/change_key_provider.out b/t/expected/change_key_provider.out