Enable server-side encryption for backups¶
Encrypting database backups is done separately for physical and logical backups. Physical backups are encrypted if data-at-rest encryption is turned on. Logical backups need to be encrypted on the cloud.
There is a possibility to enable server-side encryption for backups stored on S3. Starting from the version 1.15.0, the Operator supports Server Side Encryption either with AWS Key Management Service (KMS) , or just encrypt/decrypt backups with AES-256 encryption algorithm with any S3-compatible storage.
To enable server-side encryption for backups, use backup.storages.<storage-name>.s3.serverSideEncryption section in the deploy/cr.yaml configuration file.
Encryption with keys stored in AWS KMS¶
To use the server-side AWS KMS encryption, specify the ID of your customer-managed key and other needed options as follows:
Set the following Custom Resource options in the deploy/cr.yaml configuration file:
backup:
...
storages:
my-s3:
type: s3
s3:
bucket: my-backup-bucket
serverSideEncryption:
kmsKeyID: <kms_key_ID>
sseAlgorithm: aws:kms
Here <kms_key_ID> should be substituted with the ID of your customer-managed key
stored in the AWS KMS. It should look similar to the following example value:
128887dd-d583-43f2-b3f9-d12036d32b12.
You can avoid storing your kmsKeyID in Custom Resource, and put it into a
dedicated Secrets object. Define your secret in YAML as follows:
apiVersion: v1
kind: Secret
metadata:
name: my-cluster-name-sse
type: Opaque
stringData:
KMS_KEY_ID: <kms_key_ID>
Here <kms_key_ID> should be substituted with the ID of your customer-managed key
stored in the AWS KMS. It should look similar to the following example value:
128887dd-d583-43f2-b3f9-d12036d32b12.
When the YAML file is ready, apply it to create the Secret:
$ kubectl create -f deploy/sse-secret.yaml
After creating the Secret, set the following Custom Resource options in the deploy/cr.yaml configuration file:
secrets:
...
sse: my-cluster-name-sse
...
backup:
...
storages:
my-s3:
type: s3
s3:
bucket: my-backup-bucket
serverSideEncryption:
sseAlgorithm: aws:kms
Encryption with localy-stored keys on any S3-compatible storage¶
The Operator also supports server-side encryption with customer-provided keys that are stored on the client side. During the backup/restore process, encryption key will be provided by the Operator as part of the requests to the S3 storage, and the S3 storage will use them to encrypt/decrypt the data with the AES-256 encryption algorithm. This allows to use server-side encryption on S3-compatible storages different from AWS KMS (the feature was tested with the AWS and MinIO storages).
To use the server-side encryption with locally-stored keys, specify your encryption key and other needed options:
Set the following Custom Resource options in the deploy/cr.yaml configuration file:
backup:
...
storages:
my-s3:
type: s3
s3:
bucket: my-backup-bucket
serverSideEncryption:
sseCustomerAlgorithm: AES256
sseCustomerKey: <your_encryption_key_in_base64>
...
Here <your_encryption_key_in_base64> should be substituted with the actual
encryption key encoded in base64.
You can avoid storing your encryption key in Custom Resource, and put it into a dedicated Secrets object. Define your secret in YAML as follows:
apiVersion: v1
kind: Secret
metadata:
name: my-cluster-name-sse
type: Opaque
stringData:
SSE_CUSTOMER_KEY: <your_encryption_key_in_base64>
Here <your_encryption_key_in_base64> should be substituted with the actual
encryption key encoded in base64.
When the YAML file is ready, apply it to create the Secret:
$ kubectl create -f deploy/sse-secret.yaml
After creating the Secret, set the following Custom Resource options in the deploy/cr.yaml configuration file:
secrets:
...
sse: my-cluster-name-sse
...
backup:
...
storages:
my-s3:
type: s3
s3:
bucket: my-backup-bucket
serverSideEncryption:
sseCustomerAlgorithm: AES256
...
Note
You can use the following command to get a base64-encoded string from a plain text one:
$ echo -n 'plain-text-string' | base64 --wrap=0
$ echo -n 'plain-text-string' | base64