[FEATURE] Encrypt volume backup to remote backup store without in-cluster volume encryption #5220
Labels
area/backup-store
Remote backup store related
area/data-service
Data service outside volume data
area/security
System or volume data access security
area/volume-data-protection
Volume data protection related
area/volume-encryption
Volume encryption related
highlight
Important feature/issue to highlight
kind/feature
Feature request, new feature
priority/0
Must be fixed in this release (managed by PO)
Milestone
Is your feature request related to a problem? Please describe (馃憤 if you like this request)
For volume data encryption, Longhorn supports FS volume encryption (block volume encryption will be #4883 ), so it can do volume encryption in transit and at rest. When encrypting a volume and backing it up to the remote backup store, the data will be encrypted as well and this is how to achieve at-rest encryption. However, this at-rest backup encryption needs to rely on in-cluster volume encryption.
To make the encryption operation flexible and meet users' different encryption compliance requirements, supporting backup volume encryption to the remote backup store can be independent of in-cluster volume encryption.
Describe the solution you'd like
Describe alternatives you've considered
Just rely on the server-side encryption of backup store, but it will be vendor-lockin
Additional context
cc @longhorn/dev
Related Tickets
#8453
The text was updated successfully, but these errors were encountered: