skip to Main Content
# Example of PostgreSQL cluster
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
  name: test-db-cluster
spec:
  instances: 1
  imageName: ghcr.io/cloudnative-pg/postgresql:16.1


  backup:
    barmanObjectStore:
      wal:
        compression: gzip
        encryption: AES256
      data:
        compression: gzip
        encryption: AES256
---

I have here as encryption AES256, but how does postgres know how to decrypt the files without a pw?

If it’s pw protected and the pw gets generated dynamically, it would mean i have to backup the password as well, right?

2

Answers


  1. This encryption is not in Postgres, it’s not even in Barman Cloud, hence no key management required.

    What going on is that the settings gets passed to Barman Cloud which in turn instructs the underlying storage layer to enable encryption for the given object.

    This means that if your Azure Blob Storage container or AWS S3 bucket don’t have encryption enabled by default, it would force the object to have encryption enabled with the provided settings.

    References: https://github.com/cloudnative-pg/cloudnative-pg/blob/faec6d7097b72900e12d88c1e30982e4e11b3c54/api/v1/cluster_types.go#L1843

    Login or Signup to reply.
  2. Currently we only support the server-side encryption provided by the Cloud Provider. However, we are planning to enhance and provide more options in the future for WAL and backup management.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search