zacko
zacko

Reputation: 397

How does CloudnativePG encrypt data

# Example of PostgreSQL cluster
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
  name: test-db-cluster
spec:
  instances: 1
  imageName: ghcr.io/cloudnative-pg/postgresql:16.1


  backup:
    barmanObjectStore:
      wal:
        compression: gzip
        encryption: AES256
      data:
        compression: gzip
        encryption: AES256
---

I have here as encryption AES256, but how does postgres know how to decrypt the files without a pw?

If it's pw protected and the pw gets generated dynamically, it would mean i have to backup the password as well, right?

Upvotes: 2

Views: 493

Answers (2)

Gabriele Bartolini
Gabriele Bartolini

Reputation: 101

Currently we only support the server-side encryption provided by the Cloud Provider. However, we are planning to enhance and provide more options in the future for WAL and backup management.

Upvotes: 2

Itay Grudev
Itay Grudev

Reputation: 7444

This encryption is not in Postgres, it's not even in Barman Cloud, hence no key management required.

What going on is that the settings gets passed to Barman Cloud which in turn instructs the underlying storage layer to enable encryption for the given object.

This means that if your Azure Blob Storage container or AWS S3 bucket don't have encryption enabled by default, it would force the object to have encryption enabled with the provided settings.

References: https://github.com/cloudnative-pg/cloudnative-pg/blob/faec6d7097b72900e12d88c1e30982e4e11b3c54/api/v1/cluster_types.go#L1843

Upvotes: 1

Related Questions