[MB-17635] [EntBackup] - cbbackupmgr encrypted backups - Couchbase database

Details

Type: Epic
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 4.5.0
Fix Version/s: Morpheus
Component/s: tools
Security Level: Public
Labels:
- DodReq
- PCIReq

Epic Name:
Encrypted Backups

Description

Enterprise backup needs the ability to save backups that are encrypted. This is a very common security requirement for backups.

Attachments

Issue Links

relates to

MB-44918 Investigate whether we should expose options to enable CPK (client provided key) encryption for Azure

Open

links to

Design Doc

PRD

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

Ascending order - Click to sort in descending order

Matt Ingenthron added a comment - 26/Jan/16 1:49 PM

Any thoughts on if it's better to encrypt at the record level or at the entire data stream level? And, should that include metadata like the key?

The reason I ask is that my experience in other contexts is that the encryption is the easy part. The tough part is figuring out what level to apply this so as to make tools still useful to admins and developers and how to handle key management.

For instance, if you encrypt at the record level, things like protocol traces and backups can still be performed by untrusted individuals. (though, verification of backup is a bit harder).

I just wanted to mention that here for when the team gets to it.

Matt Ingenthron added a comment - 26/Jan/16 1:49 PM Any thoughts on if it's better to encrypt at the record level or at the entire data stream level? And, should that include metadata like the key? The reason I ask is that my experience in other contexts is that the encryption is the easy part. The tough part is figuring out what level to apply this so as to make tools still useful to admins and developers and how to handle key management. For instance, if you encrypt at the record level, things like protocol traces and backups can still be performed by untrusted individuals. (though, verification of backup is a bit harder). I just wanted to mention that here for when the team gets to it.

Don Pinto [X] (Inactive) added a comment - 26/Jan/16 9:42 PM - edited

Thanks Matt for the insight.

I think it will be good to get some customer validation for this in the future as well -

Why is this important for backups? Is it because the backups are moved over a un-encrypted channel (there's TLS for this), but is it also that backups are moved to a store like retention store outside couchbase where other folks might have access ?

What is the real attack vector here? Someone stealing a disk drive and running away? For this can't they use on-disk encryption technologies through our partners?

Backing up needs to be performant, so what is the performance tradeoff customers are ready to pay here to get encryption?

If we encrypt the sensitive fields (https://issues.couchbase.com/browse/MB-16623), the backups will also have these encrypted data so this looks reasonable as well as Matt suggested. Again, will be good to get some customer validation

I haven't chatted with customers more on this topic, but as we get to it, it will be good to get some more validation

Don Pinto [X] (Inactive) added a comment - 26/Jan/16 9:42 PM - edited Thanks Matt for the insight. I think it will be good to get some customer validation for this in the future as well - Why is this important for backups? Is it because the backups are moved over a un-encrypted channel (there's TLS for this), but is it also that backups are moved to a store like retention store outside couchbase where other folks might have access ? What is the real attack vector here? Someone stealing a disk drive and running away? For this can't they use on-disk encryption technologies through our partners? Backing up needs to be performant, so what is the performance tradeoff customers are ready to pay here to get encryption? If we encrypt the sensitive fields ( https://issues.couchbase.com/browse/MB-16623 ), the backups will also have these encrypted data so this looks reasonable as well as Matt suggested. Again, will be good to get some customer validation I haven't chatted with customers more on this topic, but as we get to it, it will be good to get some more validation

Mike Wiederhold [X] (Inactive) added a comment - 08/Feb/16 10:02 AM

The method proposed above is not something that I think should be supported. It requires users to modify their backup files and I do not think we should advise users to modify any files in their backup archive.

We can add encrypted backups through forestdb as a feature in the future.

Mike Wiederhold [X] (Inactive) added a comment - 08/Feb/16 10:02 AM The method proposed above is not something that I think should be supported. It requires users to modify their backup files and I do not think we should advise users to modify any files in their backup archive. We can add encrypted backups through forestdb as a feature in the future.

Mike Wiederhold [X] (Inactive) added a comment - 21/Jul/16 2:22 PM

Correct. You would need to unencrypt the files before running the command again. I would however assume that if the customer was using something like Vormetric then it would work. We haven't tested this though.

Mike Wiederhold [X] (Inactive) added a comment - 21/Jul/16 2:22 PM Correct. You would need to unencrypt the files before running the command again. I would however assume that if the customer was using something like Vormetric then it would work. We haven't tested this though.

Patrick Varley added a comment - 17/Aug/21 10:11 AM

Moving out of Neo as QE cannot contain it.

Patrick Varley added a comment - 17/Aug/21 10:11 AM Moving out of Neo as QE cannot contain it.

Couchbase Server

[EntBackup] - cbbackupmgr encrypted backups

Details

Description

Attachments

Issue Links

Gerrit Reviews

Activity

People

Dates

Gerrit Reviews

PagerDuty