First time here. I have a question that I couldn’t find while searching regarding Consul snapshot. We are looking to backup Consul since we are using it as a backend for Vault. Does anyone know if the snapshot is encrypted? I know it’s a tarball and I’ve extracted it. I get a meta.json, a SHA256SUMS and a state.bin. It doesn’t look to be encrypted but I just wanted to confirm with you great folks here
As well, we currently do not use any Cloud services and currently using vSphere on-prem but do you folks have any suggestions or best-practices on storing and encrypting these snapshots?
Reading the documentation for the snapshot agent - as an enterprise feature - and the parameter aws-s3-server-side-encryption i would guess the oss ones are not encrypted.
Personally i would store the snapshot on a network storage, not the server/ cluster itself. You could encrypt the backups using pgp.
I think they should be handled like every backup: with care.
One has nothing to do with the other. The database doesn’t contain your master key, that’s why you have to unseal after recovery. You’re asking it to read an encrypted database, so it needs the final key, which is broken up into multiple shards and presented to you as ‘unseal keys’.
Technically it’s a dump of already encrypted data, but it isn’t re-encrypted with another key. So the “data” structure is not encrypt, but the data that you had saved is encrypted with your vault’s master key.