Post-Install Configuration

Learn about features that require post-install configuration steps

About Trilio Encryption

Encryption of your backup data provides protection from malicious users in the event of a breach. Trilio encrypts the backup data at the application level with a user-provided encryption key in the form of a Kubernetes secret. This encryption key encrypts all backup data and metadata, which is then stored on your configured backup target storage.

To support the encryption through all the features of Trilio, we need to store the encryption keys along with backups. Therefore the Master Encryption Key was introduced to encrypt the user-provided encryption keys as they are stored on the backup target.

Master Encryption Key is cluster-wide same and rollover of the key is not yet supported. We do not recommend updating the Master Encryption Key. If user is restoring the encrypted backup on other cluster then the Master Encryption Key should be same on that cluster.

Master Encryption Key

Trilio for Kubernetes 3.0.0 introduced the concept of the master encryption key. Trilio encrypts the user-provided encryption key specified during BackupPlan creation using this Master Encryption Key and stores it along with the backups. These stored encryption keys are utilized by Trilio's Continuous Restore feature.

As soon as the Trilio is installed, the user needs to populate the secret `triliovault-master-encryption-key` with Master Encryption Key.

Refer to the following example.

apiVersion: v1
data:
  masterEncryptionKeyConfig: dHJpbGlvbWFzdGVya2V5 # Specify base64 encoded key here.
                                                  # It will be used as Master Encryption Key
                                                  # Make sure that you are using masterEncryptionKeyConfig
                                                  # to specify the Master Encryption Key 
kind: Secret
metadata:
  creationTimestamp: "2022-10-26T21:35:04Z"
  name: triliovault-master-encryption-key
  namespace: default
  resourceVersion: "13668"
  uid: 424b3d66-0190-4bd3-ae6c-4f22dbeef786
type: Opaque

Last updated