However when I run pg_restore with the -l option to create the table of contents, pg_restore doesn't recognize the encrypted backup as a suitable archive:
[postgres@diablo dbdumps]$ pg_restore: [archiver] input file does not appear to be a valid archive
Do I need to create an unencrypted dump first for pg_restore to recognize and act upon? I don't see anything in the pg_restore documentation that allows for reading encrypted files.
Any suggestions welcome. Thanks,
You seem to have answered your own question.
The general flow in this kind of situation is:
pg_dump | do-stuff > file-at-rest
undo-stuff < file-at-rest | pg_restore
Whatever you do after getting output from pg_dump needs to be undone before sending said data base into pg_restore.
You can encrypt the data at-rest but any active processing has to be done on unencrypted data.