Encryption

Encryption of your backup data provides protection from malicious users in the event of a breach. Trilio encrypts the backup data at the application level with a user-provided encryption key in the form of a Kubernetes secret. This encryption key encrypts all backup data and metadata, which is then stored on your configured backup target storage.

Trilio leverages the LUKS encryption format to protect user data. LUKS is extremely flexible and secure, providing a range of cipher suites. Since encryption works against deduplication, the ability to set encryption at the Backup Plan level gives you granular control over which applications are encrypted, providing flexibility and lower TCO.

Master Encryption Key is cluster-wide and rollover of the key is not yet supported. We do not recommend updating the Master Encryption Key. If you are restoring an encrypted backup on another cluster, the Master Encryption Key must be the same on that cluster.

Master Encryption Key

Introduced in T4K 3.0.0. To support encryption through all Trilio features, encryption keys need to be stored along with backups. The Master Encryption Key encrypts the user-provided keys before they are stored on the backup target. Trilio's Continuous Restore feature uses these stored keys.

As soon as Trilio is installed, populate the triliovault-master-encryption-key secret with your Master Encryption Key:

apiVersion: v1
kind: Secret
metadata:
  name: triliovault-master-encryption-key
  namespace: default
type: Opaque
data:
  masterEncryptionKeyConfig: dHJpbGlvbWFzdGVya2V5 # base64-encoded key
                                                  # This will be used as the Master Encryption Key.
                                                  # Field name must be masterEncryptionKeyConfig.

Encrypting Backups

Encryption is set at the Backup Plan level — each user provides their own key, saved as a Kubernetes secret. This means that if one user's key is compromised, only their backups are affected; other users' backups remain secure.

Before creating encrypted backups, ensure the Master Encryption Key secret is populated (see above).

Step 1 — Create an encryption secret:

apiVersion: v1
kind: Secret
metadata:
  name: sample-secret
type: Opaque
data:
  encryptKey: bXllbmNyeXB0aW9ua2V5

Step 2 — Reference the secret in a BackupPlan:

apiVersion: trilio.trilio.io/v1
kind: BackupPlan
metadata:
  name: sample-application
spec:
  encryption:
    encryptionSecret:
      name: sample-secret
      namespace: BACKUPPLAN_NAMESPACE
  backupConfig:
    target:
      name: sample-target
    retentionPolicy:
      name: sample-retention-policy
  backupPlanComponents:
    helmReleases:
      - mysql

Via the Management Console — when creating a Backup Plan, select your encryption secret from the list of secrets presented in the Backup Plan workflow.

Restoring Encrypted Backups

Same Cluster

When restoring an encrypted backup on the same cluster, Trilio uses the same key from the Backup Plan to decrypt and restore automatically. Target Browsing must be enabled. On the restore form, enable target browsing, then select the Encryption Secret from the list — it will be verified before you can proceed.

Different Cluster (DR / Migration)

When restoring to a new cluster, the Master Encryption Key must be configured on the target cluster first. Then enable target browsing, select the backup to restore, and create a secret with the same encryption key that was used at the time of backup.

PreviousOverview NextCLI Guide

Last updated 2 months ago

Was this helpful?

hashtagMaster Encryption Key

hashtagEncrypting Backups

hashtagRestoring Encrypted Backups

hashtagSame Cluster

hashtagDifferent Cluster (DR / Migration)

Master Encryption Key

Encrypting Backups

Restoring Encrypted Backups

Same Cluster

Different Cluster (DR / Migration)