|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * backup_and_restore/application_backup_and_restore/installing/installing-oadp-aws.adoc |
| 4 | + |
| 5 | +:_mod-docs-content-type: PROCEDURE |
| 6 | +[id="oadp-ssec-encrypted-backups_{context}"] |
| 7 | += Creating an OADP SSE-C encryption key for additional data security |
| 8 | + |
| 9 | +{aws-first} S3 applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in Amazon S3. |
| 10 | + |
| 11 | +{oadp-first} encrypts data by using SSL/TLS, HTTPS, and the `velero-repo-credentials` secret when transferring the data from a cluster to storage. To protect backup data in case of lost or stolen AWS credentials, apply an additional layer of encryption. |
| 12 | + |
| 13 | +The velero-plugin-for-aws plugin provides several additional encryption methods. You should review its configuration options and consider implementing additional encryption. |
| 14 | + |
| 15 | +You can store your own encryption keys by using server-side encryption with customer-provided keys (SSE-C). This feature provides additional security if your AWS credentials become exposed. |
| 16 | + |
| 17 | +[WARNING] |
| 18 | +==== |
| 19 | +Be sure to store cryptographic keys in a secure and safe manner. Encrypted data and backups cannot be recovered if you do not have the encryption key. |
| 20 | +==== |
| 21 | + |
| 22 | +.Prerequisites |
| 23 | + |
| 24 | +* To make {oadp-short} mount a secret that contains your SSE-C key to the Velero pod at `/credentials`, use the following default secret name for AWS: `cloud-credentials`, and leave at least one of the following labels empty: |
| 25 | +
|
| 26 | +** `dpa.spec.backupLocations[].velero.credential` |
| 27 | +** `dpa.spec.snapshotLocations[].velero.credential` |
| 28 | ++ |
| 29 | +This is a workaround for a known issue: https://issues.redhat.com/browse/OADP-3971. |
| 30 | + |
| 31 | +[NOTE] |
| 32 | +==== |
| 33 | +The following procedure contains an example of a `spec:backupLocations` block that does not specify credentials. This example would trigger an OADP secret mounting. |
| 34 | +==== |
| 35 | + |
| 36 | +* If you need the backup location to have credentials with a different name than `cloud-credentials`, you must add a snapshot location, such as the one in the following example, that does not contain a credential name. Because the example does not contain a credential name, the snapshot location will use `cloud-credentials` as its secret for taking snapshots. |
| 37 | +
|
| 38 | +.Example snapshot location in a DPA without credentials specified |
| 39 | +[source,yaml] |
| 40 | +---- |
| 41 | + snapshotLocations: |
| 42 | + - velero: |
| 43 | + config: |
| 44 | + profile: default |
| 45 | + region: <region> |
| 46 | + provider: aws |
| 47 | +# ... |
| 48 | +---- |
| 49 | + |
| 50 | +.Procedure |
| 51 | +. Create an SSE-C encryption key: |
| 52 | + |
| 53 | +.. Generate a random number and save it as a file named `sse.key` by running the following command: |
| 54 | ++ |
| 55 | +[source,terminal] |
| 56 | +---- |
| 57 | +$ dd if=/dev/urandom bs=1 count=32 > sse.key |
| 58 | +---- |
| 59 | + |
| 60 | +.. Encode the `sse.key` by using Base64 and save the result as a file named `sse_encoded.key` by running the following command: |
| 61 | ++ |
| 62 | +[source,terminal] |
| 63 | +---- |
| 64 | +$ cat sse.key | base64 > sse_encoded.key |
| 65 | +---- |
| 66 | + |
| 67 | +.. Link the file named `sse_encoded.key` to a new file named `customer-key` by running the following command: |
| 68 | ++ |
| 69 | +[source,terminal] |
| 70 | +---- |
| 71 | +$ ln -s sse_encoded.key customer-key |
| 72 | +---- |
| 73 | + |
| 74 | +. Create an {product-title} secret: |
| 75 | +** If you are initially installing and configuring {oadp-short}, create the AWS credential and encryption key secret at the same time by running the following command: |
| 76 | ++ |
| 77 | +[source,terminal] |
| 78 | +---- |
| 79 | +$ oc create secret generic cloud-credentials --namespace openshift-adp --from-file cloud=<path>/openshift_aws_credentials,customer-key=<path>/sse_encoded.key |
| 80 | +---- |
| 81 | +** If you are updating an existing installation, edit the values of the `cloud-credential` `secret` block of the `DataProtectionApplication` CR manifest, as in the following example: |
| 82 | ++ |
| 83 | +[source,yaml] |
| 84 | +---- |
| 85 | +apiVersion: v1 |
| 86 | +data: |
| 87 | + cloud: W2Rfa2V5X2lkPSJBS0lBVkJRWUIyRkQ0TlFHRFFPQiIKYXdzX3NlY3JldF9hY2Nlc3Nfa2V5P<snip>rUE1mNWVSbTN5K2FpeWhUTUQyQk1WZHBOIgo= |
| 88 | + customer-key: v+<snip>TFIiq6aaXPbj8dhos= |
| 89 | +kind: Secret |
| 90 | +# ... |
| 91 | +---- |
| 92 | +. Edit the value of the `customerKeyEncryptionFile` attribute in the `backupLocations` block of the `DataProtectionApplication` CR manifest, as in the following example: |
| 93 | ++ |
| 94 | +[source,yaml] |
| 95 | +---- |
| 96 | +spec: |
| 97 | + backupLocations: |
| 98 | + - velero: |
| 99 | + config: |
| 100 | + customerKeyEncryptionFile: /credentials/customer-key |
| 101 | + profile: default |
| 102 | +# ... |
| 103 | +---- |
| 104 | ++ |
| 105 | +[WARNING] |
| 106 | +==== |
| 107 | +You must restart the Velero pod to remount the secret credentials properly on an existing installation. |
| 108 | +==== |
| 109 | ++ |
| 110 | +The installation is complete, and you can back up and restore {product-title} resources. The data saved in AWS S3 storage is encrypted with the new key, and you cannot download it from the AWS S3 console or API without the additional encryption key. |
| 111 | + |
| 112 | +.Verification |
| 113 | + |
| 114 | +To verify that you cannot download the encrypted files without the inclusion of an additional key, create a test file, upload it, and then try to download it. |
| 115 | + |
| 116 | +. Create a test file by running the following command: |
| 117 | ++ |
| 118 | +[source,terminal] |
| 119 | +---- |
| 120 | +$ echo "encrypt me please" > test.txt |
| 121 | +---- |
| 122 | +. Upload the test file by running the following command: |
| 123 | ++ |
| 124 | +[source,terminal] |
| 125 | +---- |
| 126 | +$ aws s3api put-object \ |
| 127 | + --bucket <bucket> \ |
| 128 | + --key test.txt \ |
| 129 | + --body test.txt \ |
| 130 | + --sse-customer-key fileb://sse.key \ |
| 131 | + --sse-customer-algorithm AES256 |
| 132 | +---- |
| 133 | +. Try to download the file. In either the Amazon web console or the terminal, run the following command: |
| 134 | ++ |
| 135 | +[source,terminal] |
| 136 | +---- |
| 137 | +$ s3cmd get s3://<bucket>/test.txt test.txt |
| 138 | +---- |
| 139 | ++ |
| 140 | +The download fails because the file is encrypted with an additional key. |
| 141 | + |
| 142 | +. Download the file with the additional encryption key by running the following command: |
| 143 | ++ |
| 144 | +[source,terminal] |
| 145 | +---- |
| 146 | +$ aws s3api get-object \ |
| 147 | + --bucket <bucket> \ |
| 148 | + --key test.txt \ |
| 149 | + --sse-customer-key fileb://sse.key \ |
| 150 | + --sse-customer-algorithm AES256 \ |
| 151 | + downloaded.txt |
| 152 | +---- |
| 153 | + |
| 154 | +. Read the file contents by running the following command: |
| 155 | ++ |
| 156 | +[source,terminal] |
| 157 | +---- |
| 158 | +$ cat downloaded.txt |
| 159 | +---- |
| 160 | +.Example output |
| 161 | ++ |
| 162 | +[source,terminal] |
| 163 | +---- |
| 164 | +encrypt me please |
| 165 | +---- |
0 commit comments