To improve the security management level of data backup and meet security compliance requirements, you must protect your data against accidental operations, malicious attacks, and unauthorized backup or restoration. Cloud Backup allows you to encrypt your data by using Key Management Service (KMS). This topic describes how to use the KMS-based encryption feature.
Introduction
KMS allows you to manage encryption keys on your own. You can use KMS to encrypt the data stored in backup vaults.
After you specify a customer master key (CMK) to encrypt your backup data, you cannot modify the CMK.
If you disable or delete the CMK, you cannot restore the backup data from the backup vault.
Before you use KMS to encrypt the data in a backup vault, create a CMK in the KMS console and obtain the CMK ID. For more information, see Create a CMK.
You cannot enable KMS-based encryption for a free backup plan.
Use KMS to encrypt data
Prepare a CMK.
Before you use KMS to encrypt the data in a backup vault, create a CMK in the KMS console and obtain the CMK ID. For more information, see Create a CMK.
On the Create Backup Plan page, set the Backup Vault Encryption Method parameter to KMS and specify the KMS KeyId parameter. After the backup plan is created, your backup data is encrypted by KMS.
For example, you enable KMS-based encryption for a backup vault named doctest. After a backup plan is created for the backup vault, Encryption based on KMS appears in the Storage Vault Type column of the backup vault on the Storage Vaults page.
