Encryption matrix
Prerequisites
Portworx Backup allows you to enable two types of encryption, one for the backup data at rest in the destination and the other for the backups in transit. For the resting backup data, Portworx Backup utilizes AWS SSE-S3 encryption support provided by AWS S3. Following topics provide more information on these two kinds of encryption:
Server-side encryption (SSE-S3)
Prerequisites
- Portworx Backup 2.7.0 and above
- Portworx 3.1.0 and above
- Stork 24.1.0 and above
AWS S3 encrypts the backup data at the destination either with the applications or the services that receive the data. By default, all AWS S3 buckets are configured with encryption. For more information, refer AWS S3 SSE.
Following table explains the encryption support for the backup types provided by Portworx Backup and their behavior: Portworx Backup currently supports the following type of encryption:
- SSE-S3 with AWS S3 managed keys
In this type of encryption, each object is encrypted with unique key. To provide enhanced security, the SSE-S3 encrypts the unique encryption key itself using a root key with a regular rotational mechanism.
You can enable SSE-S3 for the following backup types of Portworx Backup:
- Backups based on Portworx volumes
- CSI backups
- CSI backup with offload to backup location (KDMP)
- KDMP backups
For more information on how to enable this encryption, refer Add AWS/S3 backup location
Following table describes the server side encryption behavior of Portworx Backup with the bucket configuration and deny policy:
| Bucket configuration | Deny policy configuration | SSE-S3 enabled | Portworx Backup behavior |
|---|---|---|---|
| SSE-S3 | No | No | |
| SSE-S3 | No | Yes | |
| SSE-S3 | Yes | Yes | |
| SSE-S3 | Yes | No | Creation of backup location fails with AccessDenied error |
Transit data encryption
Prerequisites
- Portworx Backup 2.3.0 and above
- Portworx 2.11.2 and above
- Stork 23.9.1 and above
Following table explains the encryption support for the backup types provided by Portworx Backup and their behavior:
| Backup Type | Data Files | Encryption Support | Encryption Key |
|---|---|---|---|
| Backup to Portworx volumes | Data | ||
| Yes | User-provided | ||
| Resource files | |||
| Yes | User-provided | ||
| KDMP Backup | Data | ||
| Yes | Volume snapshots are encrypted with default encryption key and not with the user-provided encryption key | ||
| Resource files | |||
| Yes | User-provided | ||
| Backup to Cloud providers | Data | ||
| No | - | ||
| Resource files | |||
| Yes | User-provided |
Portworx Backup encrypts your backups (data and resource files) in-transit regardless of the backup location type (NFS or S3 compliant object store).