What’s New in Vertica 9.0.1: S3 Backup Encryption

This blog post was authored by James Kelley.

Amazon S3 offers flexibility, efficiency, and scale. But does it offer security? With the release of Vertica 9.0.1, Vertica offers users the ability to encrypt their backups to S3 with server-side encryption.

Vertica supports the following forms of S3 encryption:

Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)

• Encrypts backups with AES-256
• Amazon manages encryption keys

Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS)

• Encrypts backups with AES-256
• Requires an encryption key from Amazon Key Management Service
• Your S3 bucket must be from the same region as your encryption key
• Allows auditing of user activity

Configuring Amazon S3 for Encrypted Backups

When you enable encryption of your backups, Vertica encrypts backups as it creates them. If you enable encryption after creating an initial backup, Vertica encrypts increments as you add them. To ensure that your backup is entirely encrypted, create new backups after enabling encryption.

To enable encryption, add the following settings to your configuration file:

• s3_encrypt_transport – Encrypts your backups during transmission. You must enable this parameter if you are using SSE-KMS encryption.
• s3_encrypt_at_rest – Enables encryption of your backups. If you enable encryption and do not provide a KMS key, Vertica uses SSE-S3 encryption.
• s3_sse_kms_key_id – If you are using KMS encryption, use this parameter to provide your key ID.

For more information on these settings, refer to S3 configuration settings.

The following example shows a typical configuration for KMS encryption of backups. [S3] s3_encrypt_transport = True s3_encrypt_at_rest = sse s3_sse_kms_key_id = 6785f412-1234-4321-8888-6a774ba2aaaa

Backing Up and Restoring from Encrypted S3

You can create and restore encrypted backups from S3 just as you would any other backup.