OADP AWS OADP SSE-C Encrypted backups

# OADP [AWS, Nooba] SSE-C Encrypted backups ## Background First and foremost it is important to note Amazon S3 now applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in Amazon S3 [1]. It is also important to note that OpenShift and OADP encrypt data via SSL, HTTPS, and the velero-repo-credentials secret while data is transfered off cluster to storage. [2] Red Hat strongly recommends using an additional layer of encryption to help prevent backed up data from being unencrypted in the case of lost or stolen AWS credentials. The OpenShift velero-plugin-for-aws provides several additional encryption methods [3]. Red Hat recommends reviewing the configuration options and implementing additional encryption. SSE-C encryption provides Red Hat customers server-side encryption with customer-provided keys (SSE-C), such that customers can store their own encryption keys. This will provide the required addtional security in the case where AWS credentials have been exposed. [4] ## OADP SSE-C Encrypted backups **WARNING:** Red Hat strongly recommends securing cryptographic keys in a secure and safe manner. Encrypted data and backups will not be recoverable in the absense of the encryption key. ## Known Issues Credential not found errors: * https://issues.redhat.com/browse/OADP-3971 Workaround: * Add a volumesnapshot config to your DPA w/o specifying a credential ``` snapshotLocations: - velero: config: profile: default region: <region> provider: aws ``` ### Configuration * Create an encryption key ``` dd if=/dev/urandom bs=1 count=32 > sse.key cat sse.key | base64 > sse_encoded.key ln -s sse_encoded.key customer-key ``` * Create an OpenShift secret If the customer is intially installing and configuring OADP, you may create the aws credential and encryption key secret at the same time. ``` oc create secret generic cloud-credentials --namespace openshift-adp --from-file cloud=<path>/openshift_aws_credentials,customer-key=<path>/sse_encoded.key ``` Existing installs may update the cloud-credential secret ``` apiVersion: v1 data: cloud: W2Rfa2V5X2lkPSJBS0lBVkJRWUIyRkQ0TlFHRFFPQiIKYXdzX3NlY3JldF9hY2Nlc3Nfa2V5P<snip>rUE1mNWVSbTN5K2FpeWhUTUQyQk1WZHBOIgo= customer-key: v+<snip>TFIiq6aaXPbj8dhos= kind: Secret ``` * Update or Create the OADP DPA Set the value for the customerKeyEncryptionFile in the DPA's backupLocations section. ``` spec: backupLocations: - velero: config: customerKeyEncryptionFile: /credentials/customer-key profile: default ``` **WARNING** Exisiting installs will require the Velero pod to be restarted to remount the secret credentials properly. * Install completed * Customers may now backup and restore OpenShift resources. The data saved in AWS s3 storage is encrypted with the new key and can not be downloaded via the AWS S3 console or API with out the supplied encryption key. ## Testing * Create a test file ``` echo "encrypt me please" > test.txt ``` * upload the test file ``` aws s3api put-object \ --bucket <bucket> \ --key test.txt \ --body test.txt \ --sse-customer-key fileb://sse.key \ --sse-customer-algorithm AES256 ``` * Try to download the file * via the s3 web console * `s3cmd get s3://<bucket>/test.txt test.txt` This should fail as the file is now encrypted w/ an extra key * Download the file with key ``` aws s3api get-object \ --bucket <bucket> \ --key test.txt \ --sse-customer-key fileb://sse.key \ --sse-customer-algorithm AES256 \ downloaded.txt ``` ``` cat downloaded.txt encrypt me please ``` * The same download call can be executed on velero backed up files ``` aws s3api get-object \ --bucket <bucket> \ --key velero/backups/mysql-persistent-customerkeyencryptionfile4/mysql-persistent-customerkeyencryptionfile4.tar.gz \ --sse-customer-key fileb://sse.key \ --sse-customer-algorithm AES256 \ --debug \ velero_download.tar.gz ```` References: [1] https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html [2] https://docs.openshift.com/container-platform/4.15/backup_and_restore/application_backup_and_restore/installing/installing-oadp-aws.html [3] https://github.com/openshift/velero-plugin-for-aws/blob/konveyor-dev/backupstoragelocation.md [4] https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html