Security Recommendations for Encrypted Backups

Backups are an important part of any application, especially when it comes to configuration backups. Configurations can contain secrets and other useful information for attackers. Following best practices should be considered when performing configuration backups.

• Encrypt backups using gpg for key generation and encryption/decryption
• Store the private key in proper secret storage (such as vault/password managers instance) with proper RBAC for limited admins. Regular encryption only needs public key.
• For encrypted backup storage, use a service that provides RBAC access, e.g. S3 storage.
• For backup service account, only give access to create new objects and not to delete/list existing objects.
• If you have secrets embedded in backed up service configs, preferably shift them to proper secrets management solution for backup instead such as Vault.
• With backup encryption, also plan for:
  • Key rotation both time based and event based
  • Expiry/refresh of backups
  • Key escrow for older backups to enable key rotation

Please take a moment to share this post: Twitter, LinkedIn. . Thank you!