PostgreSQL Data Recovery

PostgreSQL stores everything in a data directory: heap files in base/, write-ahead logs in pg_wal/, and cluster metadata in global/pg_control. When the underlying drive fails, pg_resetwal and pg_dump cannot access these files. We image the failed drive using PC-3000, extract the cluster directory, reconstruct pg_control and missing WAL segments, and bring the database online. PostgreSQL 9.x through 18. No data, no fee.

Start a Recovery All Database Services

No Data = No Charge

WAL + pg_control Repair

PC-3000 + Hex Recovery

Nationwide Mail-In

Written by

Louis Rossmann

Founder & Chief Technician

Updated March 2026

How PostgreSQL Stores Data on Disk

Unlike SQL Server or Oracle, PostgreSQL does not use a single monolithic database file. The cluster is a directory tree managed by the postmaster process. Understanding this layout is the first step in recovery.

base/ contains one subdirectory per database, named by OID. Each table and index is stored as one or more 1GB segment files (e.g., base/16384/24576, base/16384/24576.1).
pg_wal/ (pg_xlog in versions before 10) holds 16MB write-ahead log segment files. Each segment is named by timeline and LSN position (e.g., 000000010000000000000042). PostgreSQL replays these segments during crash recovery to bring the cluster to a consistent state.
global/pg_control is an 8KB file containing the cluster's checkpoint location, database system identifier, catalog version, WAL segment size, and timeline ID. If this file is missing or corrupted, PostgreSQL will not start.
pg_tblspc/ contains symlinks to tablespace directories on other filesystems or drives. Tablespace-resident tables will be missing from the recovery if the target drive is not also recovered.
pg_xact/ (pg_clog before version 10) stores transaction commit status bitmaps. Each page tracks 32,768 transaction IDs. Corruption here causes PostgreSQL to report transactions as "in progress" indefinitely, making affected rows invisible to queries.

Common Failure Scenarios

Failure	Symptoms	Recovery Approach
Corrupted pg_control	PostgreSQL refuses to start. Error: "could not read file 'global/pg_control'" or checksum mismatch on pg_control.	Reconstruct pg_control from WAL segment headers. Match checkpoint LSN, timeline, and system identifier from the recovered pg_wal/ contents.
Missing WAL segments	PostgreSQL starts but panics during recovery: "requested WAL segment has already been removed." The cluster cannot reach a consistent checkpoint.	Recover WAL segments from the drive image. If segments are unrecoverable, force the cluster to a prior consistent checkpoint and accept data loss from the gap.
base/ directory corruption	Specific tables return I/O errors. pg_dump fails on individual tables. The cluster starts but queries against affected tables produce "could not read block" errors.	Image the drive to recover the damaged heap file segments. Parse the page headers (each 8KB page has a PageHeaderData struct) and extract intact tuples. Export recoverable rows via COPY.
pg_xact / CLOG corruption	Rows disappear from query results despite existing in the heap files. VACUUM reports errors. Transaction visibility checks fail because commit status is unreadable.	Reconstruct the CLOG pages from WAL records. Alternatively, mark all ambiguous transaction IDs as committed and let the application layer validate data integrity.
Failed pg_upgrade	pg_upgrade crashed mid-migration. The old cluster's data directory was partially modified. The new cluster is incomplete. Neither version of PostgreSQL will start.	Recover the pre-upgrade data directory from the drive image. If the old cluster files are intact, revert to the original version. If partially overwritten, extract tables from whichever cluster has the most complete heap files.

Why pg_resetwal Is a Last Resort

pg_resetwal (pg_resetxlog before version 10) forces PostgreSQL to start by writing a new pg_control file and discarding all existing WAL history. The PostgreSQL documentation warns that after running this command, the database should be dumped and reloaded immediately, and that data may be silently lost.

The mechanism behind the data loss: pg_resetwal creates a new checkpoint record and advances the transaction counter past any in-flight transactions. Committed transactions that were recorded in WAL but not yet flushed to the heap files are permanently lost. The database will start, but the data on disk may not match what was committed by the application.

When the corruption originates from a physical drive failure, the situation is worse. pg_resetwal operates on whatever data the operating system can read from the degraded drive. Sectors with read errors are silently skipped or filled with zeros. Running pg_resetwal on this partial data locks in the loss. Imaging the drive with PC-3000 using adaptive read parameters first recovers more sectors, producing a more complete data directory to work with.

Before running pg_resetwal: Power down the server. Do not run pg_resetwal -f on the original data directory. Each modification reduces the data available for recovery. Contact us for a free evaluation of the drive's physical condition first.

Our PostgreSQL Recovery Workflow

Drive assessment and forensic imaging

Evaluate the drive using PC-3000 diagnostics. If the drive has mechanical damage (clicking, not spinning, scored platters), we perform a head swap in the 0.02µm ULPA-filtered clean bench before imaging. The target is a complete sector-level clone on healthy media.

File system reconstruction and cluster extraction

Mount the cloned image and locate the PostgreSQL data directory. Linux ext4/XFS metadata is parsed to recover the directory tree. If the file system is too damaged for standard mounting, we carve the data directory structure from raw sectors using inode and directory entry analysis.

pg_control and WAL reconstruction

If pg_control is missing or corrupted, we reconstruct it by scanning the recovered WAL segments for checkpoint records. The system identifier, checkpoint LSN, timeline ID, and catalog version are extracted from WAL headers and cross-referenced against the pg_wal/ directory naming convention.

Heap file validation and tuple extraction

Scan every heap file in base/ for valid 8KB pages. Each page contains a PageHeaderData struct with LSN, checksum (if data checksums are enabled), and tuple offset pointers. We validate page headers, extract intact tuples, and flag pages with unrecoverable damage. TOAST relations are cross-referenced against their parent tables to reassemble oversized values.

Cluster startup and data export

Start the recovered cluster in a sandboxed PostgreSQL instance matching the original version. Run pg_catalog integrity checks. Export all recoverable data via pg_dump or per-table COPY TO commands. Deliver the output as a SQL dump file, custom-format archive, or a running cluster on a fresh drive.

TOAST Table Recovery

PostgreSQL's TOAST (The Oversized-Attribute Storage Technique) mechanism automatically compresses and splits column values that exceed approximately 2KB. The overflow data is stored in a separate TOAST table (pg_toast.pg_toast_NNNNN) with chunk_id and chunk_seq columns linking back to the parent row.

TOAST tables are the most fragile part of a PostgreSQL cluster during drive failures. Because TOAST data is distributed across separate heap files from the parent table, a partial drive failure can leave the main table intact while destroying the TOAST relation. Queries against affected rows return: "ERROR: missing chunk number 0 for toast value NNNNN in pg_toast.pg_toast_XXXXX."

Standard recovery tools (pg_dump, pg_restore) cannot handle this failure mode because they attempt to read the TOAST data through the normal SQL interface, which throws an error. We bypass the SQL layer and read the TOAST heap files directly from the recovered image, extracting valid chunks and mapping them back to parent rows by OID. Columns with unrecoverable TOAST chunks are flagged in the export rather than causing the entire table dump to fail.

Tablespace and Multi-Drive Clusters

Production PostgreSQL deployments often place tablespaces on separate drives or partitions for I/O distribution. The pg_tblspc/ directory contains symbolic links pointing to each tablespace's physical location. When any of these drives fail, tables in that tablespace become inaccessible while the rest of the cluster may function normally.

For multi-drive recovery, send all drives that were part of the PostgreSQL server. Label each drive with its original mount point (e.g., /var/lib/postgresql/data, /mnt/fast-ssd/pg_tblspc). We image each drive independently and reconstruct the symlink relationships from the pg_tblspc/ entries and the tablespace OID directories.

If the cluster ran on a RAID array, each member drive is imaged and the array is reassembled virtually before extracting the PostgreSQL data directory.

PostGIS and Extension Data Recovery

PostGIS stores geometry and geography values as binary data within standard PostgreSQL heap pages. Point, polygon, linestring, and raster columns follow the same on-disk format as any bytea column. The spatial data itself does not require special handling during recovery.

Spatial indexes (GiST, SP-GiST, BRIN) are stored in separate relation files and are fully rebuildable. After the cluster starts, running REINDEX on spatial indexes restores query performance without any data loss. If the extension shared library files (postgis.so, postgis_raster.so) are missing from the recovered image, we install the matching PostGIS version in the sandboxed recovery environment.

Other extensions with on-disk state (pg_trgm indexes, hstore columns, JSONB GIN indexes) follow the same pattern: the data is in heap pages, the indexes are rebuildable, and the extension libraries are installed in the recovery environment to match the original cluster configuration.

Pricing

PostgreSQL recovery pricing is based on the physical condition of the drive. Cluster repair (pg_control reconstruction, WAL rebuild, TOAST recovery, heap file extraction) is included at no additional charge. For RAID arrays, each member drive is priced separately.

Service Tier	Price	Description
Simple CopyLow complexity	$100	Your drive works, you just need the data moved off it Functional drive; data transfer to new media Rush available: +$100
File System RecoveryLow complexity	From $250	Your drive isn't recognized by your computer, but it's not making unusual sounds File system corruption. Accessible with professional recovery software but not by the OS Starting price; final depends on complexity
Firmware RepairMedium complexity – PC-3000 required	$600–$900	Your drive is completely inaccessible. It may be detected but shows the wrong size or won't respond Firmware corruption: ROM, modules, or translator tables corrupted; requires PC-3000 terminal access Standard drives at lower end; high-density drives at higher end
Head SwapHigh complexity – clean bench surgery50% deposit	$1,200–$1,500	Your drive is clicking, beeping, or won't spin. The internal read/write heads have failed Head stack assembly failure. Transplanting heads from a matching donor drive on a clean bench 50% deposit required. Donor parts are consumed in the repair
Surface / Platter DamageHigh complexity – clean bench surgery50% deposit	$2,000	Your drive was dropped, has visible damage, or a head crash scraped the platters Platter scoring or contamination. Requires platter cleaning and head swap 50% deposit required. Donor parts are consumed in the repair. Most difficult recovery type.

Hardware Repair vs. Software Locks

Our "no data, no fee" policy applies to hardware recovery. We do not bill for unsuccessful physical repairs. If we replace a hard drive read/write head assembly or repair a liquid-damaged logic board to a bootable state, the hardware repair is complete and standard rates apply. If data remains inaccessible due to user-configured software locks, a forgotten passcode, or a remote wipe command, the physical repair is still billable. We cannot bypass user encryption or activation locks.

All tiers: Free evaluation and firm quote before any paid work. No data, no fee on simple copy, file system, and firmware tiers. Head swap and surface damage require a 50% deposit because donor parts are consumed in the attempt.

Target drive: The destination drive we copy recovered data onto. You can supply your own or we provide one at cost. For ultra-high-capacity drives (20TB and above), the target drive costs approximately $400+ due to the large media required. All prices are plus applicable tax.

No Data, No Fee

Guarantee

2.49M+

Subscribers

4.9

1,837+ Google Reviews

Since 2008

Established

Repairs on Video

Full Transparency

As Featured In

Data Recovery Standards & Verification

Our Austin lab operates on a transparency-first model. We use industry-standard recovery tools, including PC-3000 and DeepSpar, combined with strict environmental controls to make sure your hard drive is handled safely and properly. This approach allows us to serve clients nationwide with consistent technical standards.

Validated Clean Zone

Open-drive work is performed in a ULPA-filtered laminar-flow bench, validated to 0.02 µm particle count, verified using TSI P-Trak instrumentation.

Transparent History

Serving clients nationwide via mail-in service since 2008. Our lead engineer holds PC-3000 and HEX Akademia certifications for hard drive firmware repair and mechanical recovery.

Media Coverage

Our repair work has been covered by The Wall Street Journal and Business Insider, with CBC News reporting on our pricing transparency. Louis Rossmann has testified in Right to Repair hearings in multiple states and founded the Repair Preservation Group.

Aligned Incentives

Our "No Data, No Charge" policy means we assume the risk of the recovery attempt, not the client.

Technical Oversight

Louis Rossmann

Louis Rossmann's well trained staff review our lab protocols to ensure technical accuracy and honest service. Since 2008, his focus has been on clear technical communication and accurate diagnostics rather than sales-driven explanations.

We believe in proving standards rather than just stating them. We use TSI P-Trak instrumentation to verify that clean-air benchmarks are met before any drive is opened.

See our clean bench validation data and particle test video

PostgreSQL Recovery FAQ

Can you recover a PostgreSQL database from a physically failed drive?

Yes. We image the failed drive using PC-3000, reconstruct the file system, and extract the PostgreSQL data directory (base/, pg_wal/, pg_tblspc/). Once the cluster files are recovered, we repair pg_control, rebuild missing WAL segments, and bring the database online. No data, no fee.

What happens if pg_control is corrupted?

pg_control stores the cluster's checkpoint location, timeline ID, and system identifier. When it is corrupted, PostgreSQL refuses to start. We reconstruct pg_control from the WAL segment headers and pg_wal directory contents, matching the correct checkpoint LSN and timeline.

Is pg_resetwal safe to run on a corrupted cluster?

pg_resetwal forces PostgreSQL to start by overwriting pg_control and discarding WAL history. This can cause silent data loss: any transaction that was committed but not yet checkpointed will be lost, and tables may contain partial writes. If the drive has physical damage, pg_resetwal also masks the extent of data loss. We avoid pg_resetwal entirely and reconstruct pg_control from the recovered WAL segments instead.

Can you recover TOAST data from a corrupted cluster?

Yes. PostgreSQL stores values over 2KB in TOAST tables (pg_toast schema). When the main table's heap file is intact but the TOAST relation is damaged, queries return errors for oversized columns. We extract TOAST chunks directly from the recovered heap files and reassemble the original values.

Do you support PostGIS spatial data recovery?

Yes. PostGIS geometry and geography columns are stored as binary in standard PostgreSQL heap pages. The recovery process is identical to standard column recovery. Spatial indexes (GiST/SP-GiST) are rebuilt automatically when the database starts after recovery.

How is PostgreSQL recovery priced?

Pricing is based on the physical condition of the drive holding the PostgreSQL data directory. File system corruption: from $250. Firmware repair: $600-$900. Head swap: $1,200-$1,500. Database cluster repair is included. No data, no fee.