Community Blog Data Encryption for Database Backup with Data Backup Service

Data Encryption for Database Backup with Data Backup Service

In this post, we will explore the importance of data encryption for backups, and introduce the services that Alibaba Cloud provides that allow us to do so.

By Afzaal Ahmad Zeeshan, Alibaba Cloud Community Blog author.

Why Database Backup?

Data is just as important as it is vulnerable to being lost. It can be a target for malicious activities in the form of theft and manipulation, as well as subject to unforeseen incidents, such as hardware failure or natural disasters. It naturally follows that efficient and secure methods should be present for safely storing and retrieving this data. However, no matter the effort put in prevention of such mishaps, there will always be exceptions that might leave your data exposed to these problems of data lost. This is where disaster recovery comes in and so does the database backup. Usually the planning for backups happens before the database structure has been drafted by the database administrators because it requires that you take the cost of backups and other hardware constraints into account.

However, on the cloud that can change. Alibaba Cloud offers backup services as a pay as you go option in which you can quickly create the backup plan and utilize it as much as your infrastructure requires. In this post, we will explore and discuss the options that Alibaba Cloud provides us with that can support us in this area.

Considerations for Database Backup

Several parameters participate when deciding on the most suitable method for backing up data. Consider the size of data, where a few gigabytes can be stored in USB sticks or external hard drives, but large volumes of data require special handling. Most enterprises' and their databases are beyond terabytes if not petabytes of storage and maintaining the backups regularly-in the intervals of days if not hours-is as critical as running the business and maintaining a name in the market.

Another important consideration is the nature of data. Financial transactions are a far more critical type of data than inventory tables of a small mart and should be treated as such when being backed up. Clients who provide services to stock markets or any domain that deals directly with money must always consider backups, not for maintaining a history but to provide a highly available solution.

Methods of Database Backup

The best method for database backup is always contingent upon several factors, foremost being the size of the data. People have been backing up their data in several ways.

On-premises Hardware: Relatively cheap and suitable for an average sized dataset, but prone to hardware failure. No matter how much replication you perform, you will always require upgrading the hardware or sometimes even replace it. This adds up to the overall enterprise capital expense.

Network Attached Storage: NAS functions best when multiple nodes on the network need to be backed up to a central backup machine. The proximity of the backup machine to the working nodes may represent a vulnerability to natural disasters.

Cloud Storage: While relatively expensive compared with other methods, cloud storage offers distributed storage and high security that makes it worthwhile. Many cloud providers offer plans for small business to large enterprises, according to their stations. Most of the times, Cloud Storage is the NAS storage, but provided with some extra SLAs by the vendors.

Alibaba Cloud Database Backup Service

It is irrefutable that cloud storage is the best medium available for storing the data backups and Alibaba Cloud Database Backup Service (DBS) is one of the top service providers in this field. Being highly secure and cost-effective, and available as a part of other services inside the Alibaba Cloud ecosystem, it is a comprehensive solution that incorporates within itself,

  • Continuous data protection in multiple environments controllable from the portal directly, including data centers, public and hybrid clouds, as well as third-party cloud providers.
  • Full, Incremental, and Point-in-Time (PIT) backups to support your needs.
  • Real-time backups that greatly reduce Recovery Point Objective (RPO) to adequate time measurable in seconds, which is quite an affordable time as compared to days in normal backup/restore.
  • Efficient data recovery mechanisms built into the service.

The database backup service supports a wide range of data services, such as backing up your own on-premises database too.

Alibaba Cloud Database Backup Service - Features

Before proceeding with the following concepts, please make sure that you are having an instance of the Alibaba Cloud Database Backup service. One the purchase page you will find out the options that you need to configure to quickly purchase a solution that best fits your needs.


As you can see that most widely used databases are provided as options and rest of the settings you can configure based on how your Object Storage Service is setup and configure-or if there is a storage service subscription available.

You can make the selection for the package here and continue.

Quick Backup of Data to Cloud

DBS guarantees data security by allowing the user to quickly store data in the cloud. It has simple and efficient interface that allows the creation of backup plans with just a couple of steps.

Real-Time Incremental Backups

DBS utilizes real-time data synchronization techniques to provide incremental backups based on database logs. Consequently, it reduces RPO to several seconds - a consideration holding great significance in disaster recovery planning.

Moreover, backup of different databases can be created easily through simple configuration.

Data Security via Encryption

DBS offers high level of data security via encryption, be it during transmission where SSL can be employed, or while storing the data in cloud. Data access is also protected and accessible only with keys to ensure data privacy.

It is the security via encryption feature that makes Alibaba Cloud Database Backup Service massively appealing. We'll delve further into details on encryption service down the line.

Alibaba Cloud Database Backup Service - Backup Modes

DBS supports two kinds of backup: Logical and Physical. Both types offer full and incremental backup capabilities. Full and incremental backups have their own performance and storage requirements, as well as the total time taken to create a backup.

There are more options in this field that you can check out on the official documentation, here.

Logical Backup

Backup of this form comprises of logical data such as tables, indexes, and stored procedures. DBS supports the following backups in the logical category:

  • Full back up: Disks are primary means of storage here. Reading operation impacts database's I/O performance. However, full back up does not lock the database, and hence, has no real effect on the DB performance.
  • Incremental backup: Database logs are stored as cache. Real-time backups require reading small amounts of log data, thereby having little impact on database I/O performance.

Physical Backup

Physical backups are backups of physical files that play a role in storing and recovering the DB. DBS also supports full and incremental backups for physical backup. While incremental backup follows the same philosophy in this case as for logical backup, process for full backup differs in that files are copied directly from the operating system. Backup speed is also faster in this case.

Vulnerabilities in Cloud Backup

Although maintaining database backup on cloud is considered most efficient and convenient, it is not without its own weaknesses.

Since cloud storage is often shared, especially in the case of public clouds, anyone with access can access all data. Moreover, data in cloud is susceptible to theft and manipulation. These grave security concerns cannot go unhandled. This also includes the employees of an organization being able to access and manipulate the data.

Alibaba Cloud Database Backup Service offers 'Encryption' as the answer. The encryption is allied using the Object Storage Service (OSS) encryption modules.

Data Encryption for Database Backup with DBS

Data encryption is carried out in two ways by DBS: encryption while transmission of data and encrypted storage to protect the data.

SSL Encrypted Transmission

Secure Sockets Layer (SSL) is transport layer protocol used to encrypt network connection so that no data breach occurs while transmission of data. It provides increased security and data integrity, but also contributes towards network connection time.

SSL encryption leads to a significant increase in CPU usage as well, which is often considered an inherent drawback of the protocol; therefore, SSL usage is recommended for internet and not intranet connections, since the latter are relatively secure.

Make note that once SSL encryption is enabled, it cannot be disabled.

Encrypted Data Storage

DBS makes use of Key Management Service (KMS) APIs for encryption and decryption purposes.

KMS is a fully managed service for handling of encrypted keys. For common key management cases, one can utilize APIs or Alibaba Cloud management console to produce/manage Customer Master Keys (CMKs). You can locally encrypt/decrypt small data set or envelope encryption technology for large volume of data, as required.

Using KMS, we procure encryption key and enable real-time encryption. Similarly, it obtains the decryption key at the time of recovery to restore the corresponding database. In this way, cloud data can only be accessed with keys, which results in protection of data privacy.

Alibaba Cloud Data Encryption Methods

We have various options available for encrypting data stored in cloud and limit access to it only to the authorized parties.

OSS Encryption

OSS provides both client-size as well as server-side encryption. You can find most of the controls right here in the portal,


OSS Client-Side Encryption ensures data is encrypted before sending to the remote server, while maintaining the plaintext of the encryption key in local computer. Main private key is managed by KMS and private key is managed by the user.

OSS Server-Side Encryption stores the uploaded data in encrypted form on the server and decrypts it when user downloads the data.

ECS Disk Encryption

ECS disc encryption is another way of providing security to data to meet business needs or certification requirements. With it, you can encrypt cloud disks as well as shared block storage. No need for creation and maintenance of your own key management processes. Encryption and decryption have minimal effect on the performance of cloud disk.

Data and the associated keys are encrypted using AES-256 algorithm. The keys are never stored in plaintext in any permanent storage media.

0 0 0
Share on

Alibaba Clouder

2,606 posts | 737 followers

You may also like