# Encryption

Encryption of your backup data provides protection from malicious users in the event of a breach. Trilio encrypts the backup data at the application level with a user-provided encryption key in the form of a Kubernetes secret. This encryption key encrypts all backup data and metadata, which is then stored on your configured backup target storage.

Trilio leverages the LUKS encryption format to protect user data. LUKS is extremely flexible and secure, providing a range of cipher suites. Since encryption works against deduplication, the ability to set encryption at the Backup Plan level gives you granular control over which applications are encrypted, providing flexibility and lower TCO.

{% hint style="warning" %}
Master Encryption Key is cluster-wide and rollover of the key is not yet supported. We do not recommend updating the Master Encryption Key. If you are restoring an encrypted backup on another cluster, the Master Encryption Key must be the same on that cluster.
{% endhint %}

## Master Encryption Key

Introduced in T4K 3.0.0. To support encryption through all Trilio features, encryption keys need to be stored along with backups. The Master Encryption Key encrypts the user-provided keys before they are stored on the backup target. Trilio's Continuous Restore feature uses these stored keys.

As soon as Trilio is installed, populate the `triliovault-master-encryption-key` secret with your Master Encryption Key:

```yaml
apiVersion: v1
kind: Secret
metadata:
  name: triliovault-master-encryption-key
  namespace: default
type: Opaque
data:
  masterEncryptionKeyConfig: dHJpbGlvbWFzdGVya2V5 # base64-encoded key
                                                  # This will be used as the Master Encryption Key.
                                                  # Field name must be masterEncryptionKeyConfig.
```

## Encrypting Backups

Encryption is set at the Backup Plan level — each user provides their own key, saved as a Kubernetes secret. This means that if one user's key is compromised, only their backups are affected; other users' backups remain secure.

Before creating encrypted backups, ensure the Master Encryption Key secret is populated (see above).

**Step 1 — Create an encryption secret:**

```yaml
apiVersion: v1
kind: Secret
metadata:
  name: sample-secret
type: Opaque
data:
  encryptKey: bXllbmNyeXB0aW9ua2V5
```

**Step 2 — Reference the secret in a BackupPlan:**

```yaml
apiVersion: trilio.trilio.io/v1
kind: BackupPlan
metadata:
  name: sample-application
spec:
  encryption:
    encryptionSecret:
      name: sample-secret
      namespace: BACKUPPLAN_NAMESPACE
  backupConfig:
    target:
      name: sample-target
    retentionPolicy:
      name: sample-retention-policy
  backupPlanComponents:
    helmReleases:
      - mysql
```

**Via the Management Console** — when creating a Backup Plan, select your encryption secret from the list of secrets presented in the Backup Plan workflow.

## Restoring Encrypted Backups

### Same Cluster

When restoring an encrypted backup on the same cluster, Trilio uses the same key from the Backup Plan to decrypt and restore automatically. Target Browsing must be enabled. On the restore form, enable target browsing, then select the Encryption Secret from the list — it will be verified before you can proceed.

### Different Cluster (DR / Migration)

When restoring to a new cluster, the Master Encryption Key must be configured on the target cluster first. Then enable target browsing, select the backup to restore, and create a secret with the **same encryption key** that was used at the time of backup.

<div data-full-width="true"><figure><img src="/files/E5MF7Ip7RneyS3k5Io9i" alt="" width="563"><figcaption><p>Restore Encrypted backup on different cluster</p></figcaption></figure></div>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.trilio.io/kubernetes/user-guide/encryption.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.