Encrypting Backups to S3
Backups made to Amazon S3 can be encrypted using native server-side S3 encryption capability. For more information on Amazon S3 encryption, refer to Amazon documentation.
Note: Vertica supports server-side encryption only. Client-side encryption is not supported.
Supported Encryption Types
Vertica supports the following forms of S3 encryption:
Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
- Encrypts backups with AES-256
- Amazon manages encryption keys
Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS)
- Encrypts backups with AES-256
- Requires an encryption key from Amazon Key Management Service
- Your S3 bucket must be from the same region as your encryption key
- Allows auditing of user activity
Configuring Amazon S3 for Encrypted Backups
When you enable encryption of your backups, Vertica encrypts backups as it creates them. If you enable encryption after creating an initial backup, only increments added after you enabled encryption are encrypted. To ensure that your backup is entirely encrypted, create new backups after enabling encryption.
To enable encryption, add the following settings to your configuration file:
- s3_encrypt_transport - Encrypts your backups during transmission. You must enable this parameter if you are using SSE-KMS encryption.
- s3_encrypt_at_rest - Enables encryption of your backups. If you enable encryption and do not provide a KMS key, Vertica uses SSE-S3 encryption.
- s3_sse_kms_key_id - If you are using KMS encryption, use this parameter to provide your key ID.
For more information on these settings, refer to S3 configuration settings.
The following example shows a typical configuration for KMS encryption of backups.
[S3] s3_encrypt_transport = True s3_encrypt_at_rest = sse s3_sse_kms_key_id = 6785f412-1234-4321-8888-6a774ba2aaaa
Backing up and Restoring from Encrypted S3
You can create and restore encrypted backups from S3 just as you would any other backup.
