Velero: Enable proper restic encryption

Created on 7 May 2020  路  4Comments  路  Source: vmware-tanzu/velero

Describe the problem/challenge you have
As described in the documentation, restic backups are encrypted by default and the keys are stored in the bucket along with the backups, which renders the encryption useless.

Are there already plans, when the keys will be able to be stored in a different location?

Duplicate EnhancemenUser Restic Security
Source
picture philipp1992

Most helpful comment

@aarononeal I believe that if, just after installing Velero and before triggering your first restic backup, you create a secret named velero-restic-credentials in the velero namespace, with a key of repository-password, and your desired value, then all restic repos will be created/accessed using that password. You'd be responsible for storage and management of that key. (Note that I haven't actually tried this out in awhile, but that is how it's intended to work).

picture skriss on 18 May 2020
👍4

All 4 comments

Managing restic keys for backups is not in our radar at the moment. Part of the reason is fact the restic is a tool that folk use to migrate workloads across providers. That being the case, coupling the key management to a cloud provider's key management service would be tricky.

As a workaround for this, you might be able to encrypt the object store using the provider encryption at rest features that may allow authorized reads and writes to the object store to occur seamlessly.

ashish-amarnath picture ashish-amarnath on 12 May 2020

In the near-term, is there an easy way to override the default secret on a per cluster basis?

Seems like that would be sufficient for certain deployments.

aarononeal picture aarononeal on 16 May 2020

@aarononeal I believe that if, just after installing Velero and before triggering your first restic backup, you create a secret named velero-restic-credentials in the velero namespace, with a key of repository-password, and your desired value, then all restic repos will be created/accessed using that password. You'd be responsible for storage and management of that key. (Note that I haven't actually tried this out in awhile, but that is how it's intended to work).

skriss picture skriss on 18 May 2020
👍4

this is a dupe of #1053, so closing this one out in favor of that.

skriss picture skriss on 18 May 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

debianmaster picture debianmaster  路  3Comments
Marki4711 picture Marki4711  路  3Comments
vitobotta picture vitobotta  路  3Comments
akgunjal picture akgunjal  路  3Comments
concaf picture concaf  路  3Comments