Backup Encryption Implementation

We implement client-side encryption so backup data is encrypted before it leaves the source host. Tools like pgBackRest, Restic, and Borg support built-in AES-256 encryption. For custom backup scripts, we use openssl or age encryption in the pipeline. Client-side encryption means the storage provider never sees plaintext data — even if S3 server-side encryption is compromised, your backups remain protected.

Encryption keys are stored in AWS KMS, Google Cloud KMS, or HashiCorp Vault — never on the backup server, never in the backup repository, never in environment variables. Key policies enforce separation of duties: the backup agent can encrypt but not decrypt, the restore process can decrypt but not delete keys. We configure automatic key rotation on a 90-day cycle with zero downtime. Old keys remain available for decrypting older backups.

All backup transfers use TLS 1.3 for transport encryption. For database replication streams, we configure SSL connections between primary and replica. S3 bucket policies enforce aws:SecureTransport to reject any unencrypted upload. VPN tunnels or PrivateLink connections eliminate public internet exposure entirely. We verify encryption with packet captures during implementation to confirm no plaintext data crosses the wire.

We document the encryption implementation for compliance audits: algorithm (AES-256-GCM), key management system, rotation schedule, access controls, and separation of duties. CloudTrail logs every KMS key usage event. Backup metadata includes encryption verification hashes. The implementation meets requirements for SOC 2, HIPAA, PCI DSS, and GDPR data protection. Auditors get a single-page encryption architecture diagram with all the details they need.