Skip to content
Percona Operators Documentation

For help, click the link below to get free database assistance or contact our experts for personalized support.

Get help from Percona

Enable server-side encryption for backups

Encrypting database backups is done separately for physical and logical backups. Physical backups are encrypted if data-at-rest encryption is turned on. Logical backups need to be encrypted on the cloud.

There is a possibility to enable server-side encryption for backups stored on S3. Starting from the version 1.15.0, the Operator supports Server Side Encryption either with AWS Key Management Service (KMS) , or just encrypt/decrypt backups with AES-256 encryption algorithm with any S3-compatible storage.

To enable server-side encryption for backups, use backup.storages.<storage-name>.s3.serverSideEncryption section in the deploy/cr.yaml configuration file.

Encryption with keys stored in AWS KMS

To use the server-side AWS KMS encryption, specify the ID of your customer-managed key and other needed options as follows:

Set the following Custom Resource options in the deploy/cr.yaml configuration file:

backup:
  ...
  storages:
    my-s3:
      type: s3
      s3:
        bucket: my-backup-bucket
        serverSideEncryption:
          kmsKeyID: <kms_key_ID>
          sseAlgorithm: aws:kms

Here <kms_key_ID> should be substituted with the ID of your customer-managed key stored in the AWS KMS. It should look similar to the following example value: 128887dd-d583-43f2-b3f9-d12036d32b12.

You can avoid storing your kmsKeyID in Custom Resource, and put it into a dedicated Secrets object. Define your secret in YAML as follows:

deploy/sse-secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: my-cluster-name-sse
type: Opaque
stringData:
  KMS_KEY_ID: <kms_key_ID>

Here <kms_key_ID> should be substituted with the ID of your customer-managed key stored in the AWS KMS. It should look similar to the following example value: 128887dd-d583-43f2-b3f9-d12036d32b12.

When the YAML file is ready, apply it to create the Secret:

$ kubectl create -f deploy/sse-secret.yaml

After creating the Secret, set the following Custom Resource options in the deploy/cr.yaml configuration file:

secrets:
  ...
  sse: my-cluster-name-sse
...
backup:
  ...
  storages:
    my-s3:
      type: s3
      s3:
        bucket: my-backup-bucket
        serverSideEncryption:
          sseAlgorithm: aws:kms

Encryption with localy-stored keys on any S3-compatible storage

The Operator also supports server-side encryption with customer-provided keys that are stored on the client side. During the backup/restore process, encryption key will be provided by the Operator as part of the requests to the S3 storage, and the S3 storage will use them to encrypt/decrypt the data with the AES-256 encryption algorithm. This allows to use server-side encryption on S3-compatible storages different from AWS KMS (the feature was tested with the AWS and MinIO storages).

To use the server-side encryption with locally-stored keys, specify your encryption key and other needed options:

Set the following Custom Resource options in the deploy/cr.yaml configuration file:

backup:
  ...
  storages:
    my-s3:
      type: s3
      s3:
        bucket: my-backup-bucket
        serverSideEncryption:
          sseCustomerAlgorithm: AES256
          sseCustomerKey: <your_encryption_key_in_base64>
    ...

Here <your_encryption_key_in_base64> should be substituted with the actual encryption key encoded in base64.

You can avoid storing your encryption key in Custom Resource, and put it into a dedicated Secrets object. Define your secret in YAML as follows:

deploy/sse-secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: my-cluster-name-sse
type: Opaque
stringData:
  SSE_CUSTOMER_KEY: <your_encryption_key_in_base64>

Here <your_encryption_key_in_base64> should be substituted with the actual encryption key encoded in base64.

When the YAML file is ready, apply it to create the Secret:

$ kubectl create -f deploy/sse-secret.yaml

After creating the Secret, set the following Custom Resource options in the deploy/cr.yaml configuration file:

secrets:
  ...
  sse: my-cluster-name-sse
...
backup:
  ...
  storages:
    my-s3:
      type: s3
      s3:
        bucket: my-backup-bucket
        serverSideEncryption:
          sseCustomerAlgorithm: AES256
    ...

Note

You can use the following command to get a base64-encoded string from a plain text one:

$ echo -n 'plain-text-string' | base64 --wrap=0

$ echo -n 'plain-text-string' | base64
Last update: 2025-04-16