# Example of PostgreSQL cluster
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: test-db-cluster
spec:
instances: 1
imageName: ghcr.io/cloudnative-pg/postgresql:16.1
backup:
barmanObjectStore:
wal:
compression: gzip
encryption: AES256
data:
compression: gzip
encryption: AES256
---
I have here as encryption AES256, but how does postgres know how to decrypt the files without a pw?
If it’s pw protected and the pw gets generated dynamically, it would mean i have to backup the password as well, right?
2
Answers
This encryption is not in Postgres, it’s not even in Barman Cloud, hence no key management required.
What going on is that the settings gets passed to Barman Cloud which in turn instructs the underlying storage layer to enable encryption for the given object.
This means that if your Azure Blob Storage container or AWS S3 bucket don’t have encryption enabled by default, it would force the object to have encryption enabled with the provided settings.
References: https://github.com/cloudnative-pg/cloudnative-pg/blob/faec6d7097b72900e12d88c1e30982e4e11b3c54/api/v1/cluster_types.go#L1843
Currently we only support the server-side encryption provided by the Cloud Provider. However, we are planning to enhance and provide more options in the future for WAL and backup management.