Skip to content
Percona Documentation

Enable server-side encryption for backups

Encrypting database backups is done separately for physical and logical backups. Physical backups are encrypted if data-at-rest encryption is turned on. Logical backups need to be encrypted on the cloud.

There is a possibility to enable server-side encryption for backups stored on S3. Starting from the version 1.15.0, the Operator supports Server Side Encryption either with AWS Key Management Service (KMS) , or just encrypt/decrypt backups with AES-256 encryption algorithm with any S3-compatible storage.

To enable server-side encryption for backups, use backup.storages.<storage-name>.s3.serverSideEncryption section in the deploy/cr.yaml configuration file.

Encryption with keys stored in AWS KMS

To use the server-side AWS KMS encryption, specify the ID of your customer-managed key and other needed options as follows:

Set the following Custom Resource options in the deploy/cr.yaml configuration file:

backup:
  ...
  storages:
    my-s3:
      type: s3
      s3:
        bucket: my-backup-bucket
        serverSideEncryption:
          kmsKeyID: <kms_key_ID>
          sseAlgorithm: aws:kms

Here <kms_key_ID> should be substituted with the ID of your customer-managed key stored in the AWS KMS. It should look similar to the following example value: 128887dd-d583-43f2-b3f9-d12036d32b12.

You can avoid storing your kmsKeyID in Custom Resource, and put it into a dedicated Secrets object. Define your secret in YAML as follows:

deploy/sse-secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: my-cluster-name-sse
type: Opaque
stringData:
  KMS_KEY_ID: <kms_key_ID>

Here <kms_key_ID> should be substituted with the ID of your customer-managed key stored in the AWS KMS. It should look similar to the following example value: 128887dd-d583-43f2-b3f9-d12036d32b12.

When the YAML file is ready, apply it to create the Secret:

$ kubectl create -f deploy/sse-secret.yaml

After creating the Secret, set the following Custom Resource options in the deploy/cr.yaml configuration file:

secrets:
  ...
  sse: my-cluster-name-sse
...
backup:
  ...
  storages:
    my-s3:
      type: s3
      s3:
        bucket: my-backup-bucket
        serverSideEncryption:
          sseAlgorithm: aws:kms

Encryption with localy-stored keys on any S3-compatible storage

The Operator also supports server-side encryption with customer-provided keys that are stored on the client side. During the backup/restore process, encryption key will be provided by the Operator as part of the requests to the S3 storage, and the S3 storage will them to encrypt/decrypt the data using the AES-256 encryption algorithm. This allows to use server-side encryption on S3-compatible storages different from AWS KMS (the feature was tested with the AWS and MinIO storages).

To use the server-side encryption with locally-stored keys, specify your encryption key and other needed options:

Set the following Custom Resource options in the deploy/cr.yaml configuration file:

backup:
  ...
  storages:
    my-s3:
      type: s3
      s3:
        bucket: my-backup-bucket
        serverSideEncryption:
          sseCustomerAlgorithm: AES256
          sseCustomerKey: <your_encryption_key_in_base64>
    ...

Here <your_encryption_key_in_base64> should be substituted with the actual encryption key encoded in base64.

You can avoid storing your encryption key in Custom Resource, and put it into a dedicated Secrets object. Define your secret in YAML as follows:

deploy/sse-secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: my-cluster-name-sse
type: Opaque
stringData:
  SSE_CUSTOMER_KEY: <your_encryption_key_in_base64>

Here <your_encryption_key_in_base64> should be substituted with the actual encryption key encoded in base64.

When the YAML file is ready, apply it to create the Secret:

$ kubectl create -f deploy/sse-secret.yaml

After creating the Secret, set the following Custom Resource options in the deploy/cr.yaml configuration file:

secrets:
  ...
  sse: my-cluster-name-sse
...
backup:
  ...
  storages:
    my-s3:
      type: s3
      s3:
        bucket: my-backup-bucket
        serverSideEncryption:
          sseCustomerAlgorithm: AES256
    ...

Note

You can use the following command to get a base64-encoded string from a plain text one:

$ echo -n 'plain-text-string' | base64 --wrap=0

$ echo -n 'plain-text-string' | base64

Get expert help

If you need assistance, visit the community forum for comprehensive and free database knowledge, or contact our Percona Database Experts for professional support and services. Join K8S Squad to benefit from early access to features and “ask me anything” sessions with the Experts.

Community Forum Get a Percona Expert Join K8S Squad

Last update: 2024-09-15