- Using AWS Key Management Service (KMS)
- Using Google Cloud Key Management Service (KMS)
- Using Azure Key Vault
- Using a passphrase
Supported products
The feature described on this page is available in CockroachDB Basic, CockroachDB Standard, CockroachDB Advanced, and CockroachDB self-hosted clusters when you are running . For a full list of features, refer to .Use Key Management Service
You can encrypt with AWS KMS, Google Cloud KMS, or Azure Key Vault by using the . During the , a cryptographically secure 32-byte (256-bit) key is generated. Individual data files are encrypted with the backup-specific random key using AES-GCM-256. This backup-specific random key is then encrypted using the Key Management Service (KMS) APIs provided by the relevant cloud provider—AWS KMS, Google Cloud KMS, or Azure Key Vault. The resulting encrypted version of the random key is then stored within the backup metadata in theENCRYPTION_INFO file.
Note that the encryption algorithm for the random key is determined by the specific cloud provider. AWS and GCP use symmetric encryption with AES-GCM-256. Azure uses asymmetric encryption with RSA-OAEP-256.
During a restore job, CockroachDB retrieves the encrypted random key from the backup metadata and attempts to decrypt it using the KMS URI specified in the statement. Once successfully decrypted, CockroachDB uses this key to decrypt the manifest and data files. Similarly, the same KMS URI is required for decrypting the files when listing the backup contents using .
When incremental backups are in use, the kms option is applied to all backup file URLs. Therefore, each incremental backup must include at least one of the KMS URIs used during the full backup. This subset can consist of any combination of the original URIs, but you cannot introduce new KMS URIs. Likewise, when taking locality-aware backups, the specified KMS URI is applied to files across all localities.
Generate a KMS key
Before you can use a KMS to encrypt a CockroachDB backup, you must first generate a KMS key. This is the key generated by the cloud provider and it never leaves the KMS. It contains key-related metadata and key material to encrypt/decrypt other data. The key material can never be exported, deleted, or extracted. CockroachDB expects the key to be symmetric (256 bit).Locality-aware backup with kms encryption
CockroachDB also supports kms encryption for your locality-aware backup. At the time ofBACKUP, you can provide multiple KMS URIs, each referencing a KMS key in a different region. This allows CockroachDB to save multiple versions of the encrypted data key used to encrypt the backup data, one per KMS URI. With these encrypted versions of the data key stored alongside the encrypted backup data, a user can RESTORE the encrypted data using any one of the KMS URIs that were supplied during backup. In the case of a single KMS region outage, the data can be decrypted with any of the KMS keys from the other regions.
Add a new KMS key to an existing backup
To add a new KMS key to an existing backup, use the statement.ALTER BACKUP allows for new KMS encryption keys to be applied to an existing chain of encrypted backups (full and incremental). Once completed, subsequent BACKUP, RESTORE, and statements can use any of the existing or new KMS URIs to decrypt the backup.
For examples on adding a new KMS key to an existing backup, see the .
URI formats
AWS KMS URI format
The AWS KMS URI must use the following format:
See AWS’s KMS keys documentation for guidance on creating an AWS KMS key.
Azure Key Vault URI format
The Azure Key Vault URI must use one of two formats:-
Explicit authentication using the
AUTH=specifiedparameter (or omitting this, as it is the default option) with the tenant ID, client ID, client secret, and key vault name parameters: -
Implicit authentication with the
AUTH=implicitand key vault name parameters:See for more detail onimplicitauthentication.
To run an encrypted Azure backup, it is necessary to create the following:
- Azure Key Vault to generate and store your keys. See Microsoft’s quickstart to Create a key vault using the Azure portal.
- Azure App Registration to manage role-based access control. See Microsoft’s Register an application with the Microsoft identity platform to register an application.
Google Cloud KMS URI format
The Google Cloud KMS URI must use the following format:
See Google Cloud’s customer-managed encryption key documentation for guidance on creating a KMS key.
Examples
The following examples provide connection strings to Amazon S3 and Google Cloud Storage. For guidance using other authentication parameters, read Use Cloud Storage for Bulk Operations.- AWS
- Azure
- Google Cloud
Take an encrypted Amazon S3 backup
To take an encrypted backup with AWS KMS, use thekms :Take a locality-aware backup with kms encryption
To take a with kms encryption, use thekms option to specify a comma-separated list of KMS URIs:Show a locality-aware backup with kms encryption
To view a kms encrypted locality-aware backup, use thekms option and the same KMS URIs that were used to create the backup:Restore from an encrypted Amazon S3 backup
To decrypt an encrypted backup, use thekms option and any subset of the KMS URIs that were used to take the backup:Use a passphrase
You can encrypt full or incremental backups with a passphrase by using the . Files written by the backup (includingBACKUP manifests and data files) are encrypted using the specified passphrase to derive a key. To restore the encrypted backup, the same encryption_passphrase option (with the same passphrase) must be included in the statement.
When used with , the encryption_passphrase option is applied to all the , which means the same passphrase must be used when appending another incremental backup to an existing backup. Similarly, when used with , the passphrase provided is applied to files in all localities.
Encryption is done using AES-256-GCM, and GCM is used to both encrypt and authenticate the files. A random salt is used to derive a once-per-backup AES key from the specified passphrase, and then a random initialization vector is used per-file. CockroachDB uses PBKDF2 with 64,000 iterations for the key derivation.
BACKUP and RESTORE will use more memory when using encryption, as both the plain-text and cipher-text of a given file are held in memory during encryption and decryption.- External connections, which allow you to represent an external storage or sink URI. You can then specify the external connection’s name in statements rather than the provider-specific URI. For detail on using external connections, see the page.
- Amazon S3 connection strings with the default
AUTH=specifiedparameter. For guidance on usingAUTH=implicitauthentication with Amazon S3 buckets instead, read .
Take an encrypted backup using a passphrase
To take an encrypted backup, use the :encryption_passphrase. See the example below for more details.

