All Products
Search
Document Center

Cloud Backup:KMS-based encryption

Last Updated:Dec 02, 2024

To improve the security management level of data backup and meet security compliance requirements, you must protect your data against accidental operations, malicious attacks, and unauthorized backup or restoration. Cloud Backup allows you to encrypt your data by using Key Management Service (KMS). This topic describes how to use the KMS-based encryption feature.

Introduction

KMS allows you to manage encryption keys on your own. You can use KMS to encrypt the data stored in backup vaults.

Important
  • If you specify a customer master key (CMK) to encrypt your backup data, you cannot change the CMK after the backup vault is created.

  • If you disable or delete the CMK, you cannot restore the backup data from the backup vault.

  • Before you use KMS to encrypt the data in a backup vault, create a CMK in the KMS console and obtain the CMK ID. For more information, see Create a CMK.

  • You cannot enable KMS-based encryption for a free backup policy.

  • Cloud Backup supports only the default key.

  • For more information about the regions that support the feature, see Features available in each region.

Use KMS to encrypt backup data

  1. Prepare a CMK.

    Before you use KMS to encrypt the data in a backup vault, create a CMK in the KMS console and obtain the CMK ID. For more information, see Create a CMK.

  2. On the Create Backup Policy page, set the Backup Vault Encryption Method parameter to KMS and specify the KMS KeyId parameter. After the backup policy is created, your backup data is encrypted by KMS.image.png

    For example, you enable KMS-based encryption for a backup vault named doctest. After a backup policy is created for the backup vault, Encryption based on KMS appears in the Storage Vault Type column of the backup vault on the Storage Vaults page.image.png