Backup Encryption

• The snapshot of an encrypted database is encrypted as well.
  The snapshot of an unencrypted database is not uncrypted.

• Logical-backup encryption is not supported by RavenDB 4.0 and 4.1.

• In this page:

  • Introduction
    • RavenDB's Security Approach
    • Enable Secure Communication
  • Logical-Backup Encryption
  • Snapshot Encryption
    • Creating an Encrypted Snapshot
    • Restoring an Encrypted Snapshot

Introduction

RavenDB's Security Approach

Encrypting backup files is just one respect of RavenDB's comprehensive security approach.
Other respects are implemented in -

• Database encryption
• Securing server-client communication using Authentication and certification.

Enable Secure Communication

RavenDB emphasizes the importance of overall security, by allowing encryption of the database only when server-client communication is authenticated and certified.

• Enabling authentication and certification
  Enable secure client-server communication during the server setup, either manually or using the setup-wizard.

• Client authentication procedure
  When authentication is enabled, clients are required to certify themselves in order to connect the server.
  Here's a code sample for this procedure:

// path to the certificate you received during the server setup
var cert = new X509Certificate2(@"C:\Users\RavenDB\authentication_key\admin.client.certificate.RavenDBdom.pfx");
using (var docStore = new DocumentStore
{
  Urls = new[] { "https://a.RavenDBdom.development.run" },
  Database = "encryptedDatabase",
  Certificate = cert
}.Initialize())
{
  // Backup & Restore here
}

Logical-Backup Encryption

Logical-backup encryption is not supported by RavenDB 4.0 and 4.1.

Snapshot Encryption

Creating an Encrypted Snapshot

A snapshot is an exact copy of the database files. If the database is encrypted, so would be its snapshot. If the database is not encrypted, the snapshot wouldn't be either.

• If you want your snapshot to be encrypted, take the snapshot of an encrypted database.
• Include the client authentication procedure in your code.
• Create a snapshot as you normally would.

The incremental backups of an encrypted snapshot are **not** encrypted.

Restoring an Encrypted Snapshot

Restoring an encrypted snapshot is almost identical to restoring an unencrypted one.

• Include the client authentication procedure in your code.
• Pass RestoreBackupOperation an encryption key, using restoreConfiguration.EncryptionKey.
  Use the same secret key used to encrypt the database.
• Code sample:

// Restore an encrypted database from an encrypted snapshot

var restoreConfiguration = new RestoreBackupConfiguration();

// New database name
restoreConfiguration.DatabaseName = "newEncryptedDatabase";

// Backup-file location
var backupPath = @"C:\Users\RavenDB\2019-01-06-11-11.ravendb-encryptedDatabase-A-snapshot";
restoreConfiguration.BackupLocation = backupPath;

// Specify the key that was used to encrypt the backup file
restoreConfiguration.EncryptionKey = "1F0K2R/KkcwbkK7n4kYlv5eqisy/pMnSuJvZ2sJ/EKo=";

var restoreBackupTask = new RestoreBackupOperation(restoreConfiguration);
docStore.Maintenance.Server.Send(restoreBackupTask);