Hello team 
We are currently testing pg_tde with pgBackRest on Percona Distribution for PostgreSQL 18, and we would really appreciate your guidance to better understand the expected and supported behavior around WAL encryption and PITR.
Our environment
PostgreSQL 18.1
Percona Server for PostgreSQL 18.1.1
pg_tde 2.1
pgBackRest 2.57
Patroni-based HA cluster
What we are trying to achieve
Our goal is to have:
Data-at-rest encryption using pg_tde
Encrypted backups
Point-in-Time Recovery (PITR) using pgBackRest
What we observed during testing
We ran multiple controlled tests with the following setup:
shared_preload_libraries = ‘pg_tde’
pg_tde.wal_encrypt = on
archive_command =
‘/usr/lib/postgresql/18/bin/pg_tde_archive_decrypt %f %p “pgbackrest --stanza=cluster_1 archive-push %%p”’
restore_command =
‘/usr/lib/postgresql/18/bin/pg_tde_restore_encrypt %f %p “pgbackrest --stanza=cluster_1 archive-get %%f %%p”’
Test flow
Insert data before backup
Take a full pgBackRest backup
Insert additional data
Perform pgBackRest PITR (target time before step 3)
Result we are seeing
Full backups restore correctly
WAL archiving and restore commands work
However, during PITR:
WAL replay does not stop at the target time, or PostgreSQL fails during recovery with WAL-related errors, if we disable/off WAL encryption and take backup:
pg_tde.wal_encrypt = off
PITR works consistently and as expected.
Our current understanding (please correct us if wrong)Based on our testing, it appears that:
pgBackRest PITR may not be compatible with WAL encryption at this time
However, we are not fully sure if this is:
An expected limitation
A configuration mistake on our side
Or something that requires a different workflow
Where we need help 
We would really appreciate clarification on: