Skip to main content
Version: 2.8

Encryption matrix

Prerequisites

Portworx Backup allows you to enable two types of encryption, one for the backup data at rest in the destination and the other for the backups in transit. For the resting backup data, Portworx Backup utilizes AWS SSE-S3 encryption support provided by AWS S3. Following topics provide more information on these two kinds of encryption:

Portworx Backup allows you to enable two types of encryption, one for the backup data at rest in the destination and the other for the backups in transit. For the resting backup data, Portworx Backup utilizes AWS SSE-S3 encryption support provided by AWS S3. Following topics provide more information on these two kinds of encryption:

Server-side encryption (SSE-S3)

Prerequisites

  • Portworx Backup 2.7.0 and above
  • Portworx 3.1.0 and above
  • Stork 24.1.0

AWS S3 encrypts the backup data at the destination either with the applications or the services that receive the data. By default, all AWS S3 buckets are configured with encryption. For more information, refer AWS S3 SSE.

Following table explains the encryption support for the backup types provided by Portworx Backup and their behavior: Portworx Backup currently supports the following type of encryption:

  • SSE-S3 with AWS S3 managed keys

In this type of encryption, each object is encrypted with unique key. To provide enhanced security, the SSE-S3 encrypts the unique encryption key itself using a root key with a regular rotational mechanism.

You can enable SSE-S3 for the following backup types of Portworx Backup:

  • Backups based on Portworx volumes
  • CSI backups
  • CSI backup with offload to backup location (KDMP)
  • KDMP backups

For more information on how to enable this encryption, refer Add AWS/S3 backup location

Following table describes the server side encryption behavior of Portworx Backup with the bucket configuration and deny policy:

Bucket configurationDeny policy configurationSSE-S3 enabledPortworx Backup behavior
SSE-S3NoNo
  • Backup location gets created
  • Backup data is encrypted with default encryption key
  • SSE-S3NoYes
  • Backup location gets created
  • Backup data is encrypted with default encryption key
  • SSE-S3YesYes
  • Backup location gets created
  • Backup data is encrypted with default encryption key
  • SSE-S3YesNoCreation of backup location fails with AccessDenied error

    Transit data encryption

    Prerequisites

    • Portworx Backup 2.3.0 and above
    • Portworx 2.11.2 and above
    • Stork 23.9.1

    Following table explains the encryption support for the backup types provided by Portworx Backup and their behavior:

    Backup TypeData FilesEncryption SupportEncryption Key
    Backup to Portworx volumesData
    YesUser-provided
    Resource files
    YesUser-provided
    KDMP BackupData
    YesVolume snapshots are encrypted with default encryption key and not with the user-provided encryption key
    Resource files
    YesUser-provided
    Backup to Cloud providersData
    No-
    Resource files
    YesUser-provided
    note

    Portworx Backup encrypts your backups (data and resource files) in-transit regardless of the backup location type (NFS or S3 compliant object store).