Description
Add support for S3 Server-Side Encryption with Customer-Provided Keys (SSE-C) in the Archive CRD, exposing pgBackRest's existing repo-s3-sse-customer-key option.
Use Case
We use Hetzner Object Storage which supports SSE-C but not SSE-S3 or SSE-KMS. For defense-in-depth, we want two layers of at-rest encryption:
- Client-side: pgBackRest AES-256-CBC (already supported ✅)
- Server-side: SSE-C at S3 level (not exposed ❌)
This matches patterns used by other tools (e.g., ClickHouse) where both client-side and SSE-C are used together.
pgBackRest Support
pgBackRest already supports SSE-C via repo-s3-sse-customer-key:
repo1-s3-sse-customer-key=<base64-encoded-32-byte-key>
The S3 storage driver in pgBackRest handles the required headers:
- x-amz-server-side-encryption-customer-algorithm: AES256
- x-amz-server-side-encryption-customer-key:
- x-amz-server-side-encryption-customer-key-MD5:
Proposed CRD Change
Add sseCustomerKey field to the repository configuration:
apiVersion: pgbackrest.cnpg.opera.com/v1
kind: Archive
spec:
configuration:
repositories:
- bucket: my-bucket
# Existing client-side encryption
encryption: aes-256-cbc
encryptionKey:
name: my-secret
key: ENCRYPTION_KEY
# NEW: Server-side SSE-C
sseCustomerKey:
name: my-secret
key: SSE_CUSTOMER_KEYKey Format
Per https://docs.hetzner.com/storage/object-storage/howto-protect-objects/encrypt-with-sse-c/, the key should be 32 bytes (256-bit AES). pgBackRest expects base64-encoded.
Generate with: openssl rand -base64 32
Environment
- Plugin version: v0.5.1
- CloudNativePG: 1.28
- S3 provider: Hetzner Object Storage
Description
Add support for S3 Server-Side Encryption with Customer-Provided Keys (SSE-C) in the Archive CRD, exposing pgBackRest's existing
repo-s3-sse-customer-keyoption.Use Case
We use Hetzner Object Storage which supports SSE-C but not SSE-S3 or SSE-KMS. For defense-in-depth, we want two layers of at-rest encryption:
This matches patterns used by other tools (e.g., ClickHouse) where both client-side and SSE-C are used together.
pgBackRest Support
pgBackRest already supports SSE-C via
repo-s3-sse-customer-key:repo1-s3-sse-customer-key=<base64-encoded-32-byte-key>The S3 storage driver in pgBackRest handles the required headers:
Proposed CRD Change
Add sseCustomerKey field to the repository configuration:
Key Format
Per https://docs.hetzner.com/storage/object-storage/howto-protect-objects/encrypt-with-sse-c/, the key should be 32 bytes (256-bit AES). pgBackRest expects base64-encoded.
Generate with: openssl rand -base64 32
Environment