diff --git a/docs/details/storage-configuration.md b/docs/details/storage-configuration.md index 7748da8a..8245481d 100644 --- a/docs/details/storage-configuration.md +++ b/docs/details/storage-configuration.md @@ -22,11 +22,37 @@ Percona Backup for MongoDB should work with other S3-compatible storages, but wa * [MinIO](https://min.io/) -As of version 1.3.2, Percona Backup for MongoDB supports [server-side encryption](https://docs.percona.com/percona-backup-mongodb/glossary.html#term-Server-side-encryption) for [S3 buckets](../reference/glossary.md#bucket) with customer managed keys stored in AWS KMS. +### Server-side encryption + +As of version 1.3.2, Percona Backup for MongoDB supports [server-side encryption](https://docs.percona.com/percona-backup-mongodb/glossary.html#term-Server-side-encryption) for [S3 buckets](../reference/glossary.md#bucket) with customer-provided keys stored in AWS KMS (SSE-KMS). + + +Starting with version 2.0.1, Percona Backup for MongoDB also supports server-side encryption with customer-provided keys that stored on the client side (SSE-C). Percona Backup for MongoDB provides the encryption keys as part of the requests to the S3 storage. The S3 storage uses them to encrypt/decrypt the data using the AES-256 encryption algorithm. In such a way you save on subscribing to AWS KMS services and can use the server-side encryption with the S3-compatible storage of your choice. + +!!! admonition "" + + SSE-C encryption should work with other S3-compatible storages, but was only tested with the AWS and MinIO. Check the support of this functionality with your S3 storage provider. + +!!! warning + + 1. Enable/disable the server-side encryption only for the empty bucket. Otherwise, Percona Backup for MongoDB fails to save/retrieve objects to/from the storage properly. + 2. S3 storage doesn't manage nor store the encryption key. It is your responsibility to track what key was used to encrypt what object in the bucket. If you lose the key, any request for an object without the encryption key fails and you lose the object. + +To use the SSE-C encryption, specify the following parameters in the Percona Backup for MongoDB configuration file: + +```yaml +serverSideEncryption: + sseCustomerAlgorithm: AES256 + sseCustomerKey: +``` + !!! admonition "See also" - [Protecting Data Using Server-Side Encryption with CMKs Stored in AWS Key Management Service (SSE-KMS)](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html) + AWS Documentation: + + * [Protecting Data Using Server-Side Encryption with CMKs Stored in AWS Key Management Service (SSE-KMS)](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html) + * [Protecting data using server-side encryption with customer-provided encryption keys (SSE-C)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html) ### Debug logging diff --git a/docs/reference/configuration-options.md b/docs/reference/configuration-options.md index 12a4af5e..e848ac5b 100644 --- a/docs/reference/configuration-options.md +++ b/docs/reference/configuration-options.md @@ -30,6 +30,8 @@ storage: serverSideEncryption: sseAlgorithm: aws:kms kmsKeyID: + sseCustomerAlgorithm: AES256 + sseCustomerKey: retryer: numMaxRetries: 3 minRetryDelay: 30 @@ -151,12 +153,12 @@ Disables the TLS verification of the S3 storage. This allows Percona Backup for ## Server-side encryption options -### serverSideEncryption.sseAlgorythm +### serverSideEncryption.sseAlgorithm *Type*: string
-*Required*: NO +*Required*: NO -The key management mode used for server-side encryption +The key management mode used for server-side encryption with the encryption keys stored in AWS KMS. Supported value: `aws:kms` @@ -165,7 +167,23 @@ Supported value: `aws:kms` *Type*: string
*Required*: NO -Your customer-managed key +Your customer-managed key stored in the AWS KMS. + +### serverSideEncryption.sseCustomerAlgorithm + +*Type*: string
+*Required*: NO + +The key management mode for [server-side encryption with customer-provided keys (SSE-C)](../details/storage-configuration.md#server-side-encryption). + +Supported value: `AES256` + +### serverSideEncryption.sseCustomerKey + +*Type*: string
+*Required*: NO + +Your custom encryption key. This key is not stored on the S3 storage side. Thus, it is your responsibility to track what data is encrypted with what key and for storing the key. ## Upload retry options