Database Export
The Database Export feature lets you export your Keycloak cluster’s PostgreSQL database for backup, migration, or analysis. Exports are processed asynchronously and delivered as downloadable ZIP archives with optional encryption.
Plan Requirements
Database export is available on Launch, Startup, Business, Growth, and Enterprise plans. It is not available on Trial or Dev plans.
Starting an Export
Exports are started from the Skycloak dashboard:
- Open the cluster you want to export from the Clusters page.
- Open the cluster actions menu and choose Export Database.
- Pick a format, decide whether to include credentials, and (when required) enable encryption with a password.
- Click Start Export. The export runs in the background; you can close the dialog and continue working.
You will receive an email notification when the export completes or fails.
Export Options
| Option | Description |
|---|---|
| Format |
sql for plain SQL with DROP/CREATE statements (human-readable, easy to inspect), or pgdump for PostgreSQL’s custom binary format (smaller, supports pg_restore parallel restore). |
| Include credentials | When enabled, sensitive tables (user_entity, credential, fed_user_credential, client_secret) are included. Useful for full cluster migration. Encryption becomes mandatory when this is on. |
| Encrypt the export | Encrypts the resulting archive using AES-256-CBC with PBKDF2 (10,000 iterations, SHA-256). Requires a password of at least 8 characters. |
By default, exports exclude sensitive tables to protect user data. Both formats exclude ownership and access-control information for portability across environments.
Encryption
Encrypted exports use AES-256-CBC with PBKDF2 key derivation (10,000 iterations, SHA-256). The encryption is OpenSSL-compatible, so you can decrypt with standard tools.
- The encryption password must be at least 8 characters.
- Only a SHA-256 hash of the password is stored for validation – the password itself is never persisted.
- The encrypted file uses the OpenSSL
Salted__header format.
Decrypting an Export
Use OpenSSL to decrypt an encrypted export file:
openssl enc -d -aes-256-cbc -pbkdf2 -iter 10000 -md sha256 \
-in cluster-name_a1b2c3d4.zip.enc \
-out cluster-name_a1b2c3d4.zipYou will be prompted for the encryption password you provided when starting the export. After decryption, unzip the archive to access the database dump file.
Progress and Status
Exports move through these statuses:
| Status | Description |
|---|---|
pending |
Queued and waiting to be processed. |
processing |
Actively running. |
completed |
Finished successfully and ready to download. |
failed |
Encountered an error; the email notification includes details. |
You will receive an email notification when the export completes or fails.
Download and Expiration
Once an export completes, you receive an email with a pre-signed download link. The link and the stored export file expire after 24 hours. After expiration, the file is automatically deleted and the link becomes invalid.
To download after expiration, start a new export.
Checksum Verification
Each completed export includes a SHA-256 checksum (delivered in the completion email). After downloading, verify the file integrity:
sha256sum cluster-name_a1b2c3d4.zipCompare the result with the checksum in the email. The checksum is computed on the final file (encrypted ZIP if encryption was used, plain ZIP otherwise).
Email Notifications
You will receive an email when your export completes or fails:
- Success: Includes a direct download link, file size, checksum, and expiration time.
- Failure: Includes a summary of the issue. The support team is automatically notified for investigation.