Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-17635

[EntBackup] - cbbackupmgr encrypted backups

    XMLWordPrintable

Details

    • Epic
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 4.5.0
    • Morpheus
    • tools
    • Security Level: Public
    • Encrypted Backups

    Description

      Enterprise backup needs the ability to save backups that are encrypted. This is a very common security requirement for backups.

      Attachments

        Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            Any thoughts on if it's better to encrypt at the record level or at the entire data stream level? And, should that include metadata like the key?

            The reason I ask is that my experience in other contexts is that the encryption is the easy part. The tough part is figuring out what level to apply this so as to make tools still useful to admins and developers and how to handle key management.

            For instance, if you encrypt at the record level, things like protocol traces and backups can still be performed by untrusted individuals. (though, verification of backup is a bit harder).

            I just wanted to mention that here for when the team gets to it.

            ingenthr Matt Ingenthron added a comment - Any thoughts on if it's better to encrypt at the record level or at the entire data stream level? And, should that include metadata like the key? The reason I ask is that my experience in other contexts is that the encryption is the easy part. The tough part is figuring out what level to apply this so as to make tools still useful to admins and developers and how to handle key management. For instance, if you encrypt at the record level, things like protocol traces and backups can still be performed by untrusted individuals. (though, verification of backup is a bit harder). I just wanted to mention that here for when the team gets to it.
            djp Don Pinto [X] (Inactive) added a comment - - edited

            Thanks Matt for the insight.

            I think it will be good to get some customer validation for this in the future as well -

            • Why is this important for backups? Is it because the backups are moved over a un-encrypted channel (there's TLS for this), but is it also that backups are moved to a store like retention store outside couchbase where other folks might have access ?
            • What is the real attack vector here? Someone stealing a disk drive and running away? For this can't they use on-disk encryption technologies through our partners?
            • Backing up needs to be performant, so what is the performance tradeoff customers are ready to pay here to get encryption?
            • If we encrypt the sensitive fields (https://issues.couchbase.com/browse/MB-16623), the backups will also have these encrypted data so this looks reasonable as well as Matt suggested. Again, will be good to get some customer validation

            I haven't chatted with customers more on this topic, but as we get to it, it will be good to get some more validation

            djp Don Pinto [X] (Inactive) added a comment - - edited Thanks Matt for the insight. I think it will be good to get some customer validation for this in the future as well - Why is this important for backups? Is it because the backups are moved over a un-encrypted channel (there's TLS for this), but is it also that backups are moved to a store like retention store outside couchbase where other folks might have access ? What is the real attack vector here? Someone stealing a disk drive and running away? For this can't they use on-disk encryption technologies through our partners? Backing up needs to be performant, so what is the performance tradeoff customers are ready to pay here to get encryption? If we encrypt the sensitive fields ( https://issues.couchbase.com/browse/MB-16623 ), the backups will also have these encrypted data so this looks reasonable as well as Matt suggested. Again, will be good to get some customer validation I haven't chatted with customers more on this topic, but as we get to it, it will be good to get some more validation

            The method proposed above is not something that I think should be supported. It requires users to modify their backup files and I do not think we should advise users to modify any files in their backup archive.

            We can add encrypted backups through forestdb as a feature in the future.

            mikew Mike Wiederhold [X] (Inactive) added a comment - The method proposed above is not something that I think should be supported. It requires users to modify their backup files and I do not think we should advise users to modify any files in their backup archive. We can add encrypted backups through forestdb as a feature in the future.

            Correct. You would need to unencrypt the files before running the command again. I would however assume that if the customer was using something like Vormetric then it would work. We haven't tested this though.

            mikew Mike Wiederhold [X] (Inactive) added a comment - Correct. You would need to unencrypt the files before running the command again. I would however assume that if the customer was using something like Vormetric then it would work. We haven't tested this though.

            Moving out of Neo as QE cannot contain it.

            pvarley Patrick Varley added a comment - Moving out of Neo as QE cannot contain it.

            People

              pvarley Patrick Varley
              kirk Kirk Kirkconnell (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

                Created:
                Updated:

                Gerrit Reviews

                  There are no open Gerrit changes

                  PagerDuty