Storing Backup Files on the AWS S3 Bucket

If you want to store backed up files on the AWS S3 bucket, you can use the Cloud Utility feature. You can transit these files from the Protegrity appliance to the AWS S3 bucket.

The following tasks are explained in this section:

  1. Encrypting the backed up .tgz files using the AWS Key Management Services (KMS).
  2. Storing the encrypted files in the AWS S3 bucket.
  3. Retrieving the encrypted files stored in the S3 bucket.
  4. Decrypting the retrieved files using the AWS KMS.
  5. Importing the decrypted files on the Protegrity appliance.

About the AWS S3 bucket and usage

The AWS S3 bucket is a cloud resource which helps you to securely store your data. It enables you to keep the data backup at multiple locations, such as, on-premise and on cloud. For easy accessibility, you can backup and store data of one machine and import the same data to another machine, using the AWS S3 bucket. It also provides an additional layer of security by helping you encrypt the data before uploading it to the cloud.

Using the OS Console option in the CLI Manager, you can store your backed up files in the AWS S3 bucket. You can encrypt your files using the the AWS Key Management Services (KMS) before storing it in the AWS S3 bucket.

The following figure shows the flow for storing your data on the AWS S3 bucket.

Encrypting and storing files on the AWS S3 bucket

Retrieving and decrypting files from the AWS S3 bucket

Prerequisites

Ensure that you complete the following prerequisites for uploading the backed up files to the S3 bucket:

Encrypting and Storing Files

To encrypt and upload the exported file from /products/exports to the S3 bucket:

  1. Login to the Appliance CLI manager.

  2. To encrypt and upload files, navigate to Administration > OS Console.

  3. Enter the root credentials.

  4. Change the directory to /products/exports using the following command.

    cd /products/exports
    
  5. Encrypt the required file using the aws-encryption-cli command.

    aws-encryption-cli --encrypt --input <file_to_encrypt> --master-keys key=<Key_ID> region=<region-name> --output <encrypted_output_filename> --metadata-output <metadata_filename> --encryption-context purpose=<purpose_for_performing encryption>
    
    ParameterDescription
    file_to_encryptThe backed up file that needs to be encrypted before uploading to the S3 bucket.
    Key_IDThe key ID of the KMS key that needs to be used for encrypting the file.
    region-nameThe region where the KMS key is stored.
    encrypted_output_filenameThe name of the file after encryption.
    metadata_filenameThe name of the file where the metadata needs to be stored.
    purpose_for_performing encryptionThe purpose of encrypting the file.

    For more information about encrypting data using the KMS, refer to the following link.

    https://docs.aws.amazon.com/cli/latest/reference/kms/encrypt.html

    The file is encrypted.

  6. Upload the encrypted file to the S3 bucket using the following command.

    aws s3 cp <encrypted_output_filename> <s3Uri>
    

    The file is uploaded in the S3 bucket.

    For example, if you have an encrypted file test.enc and you want to upload it to your personal bucket, mybucket, in s3 bucket, then use the following command:

    aws s3 cp test.enc s3://mybucket/test.enc
    

    For more information about the S3 bucket, refer to the following link:

    https://docs.aws.amazon.com/cli/latest/reference/s3/

Decrypting and Importing Files

To decrypt and import the files from the S3 bucket:

  1. Login to the Appliance CLI manager.

  2. To decrypt and import the file, navigate to Administration > OS Console.

  3. Enter the root credentials.

  4. Change the directory to /products/exports using the following command:

    cd /products/exports
    
  5. Download the encrypted file using the following command:

    aws s3 cp  <s3Uri> <local_file_name(path)>
    

    For example, if you want to download the file test.txt to your local machine as test2.txt, then use the following command:

    aws s3 cp s3://mybucket/test.txt test2.txt
    
  6. Decrypt the downloaded file using the following command:

    aws-encryption-cli --decrypt --input <file_to_decrypt> --output <decrypted_file_name>
     --metadata-output <metadata_filename>
    
    ParameterDescription
    file_to_decryptThe backed up file that needs to be decrypted after downloading from the S3 bucket.
    decrypted_output_filenameThe name with which the file is saved after decryption.
    metadata_filenameThe name of the file where the metadata needs to be stored.

    Ensure that the metadata_filename must be the same filename which is used during encryption of the file.

    The file is decrypted.

    For more information about decrypting the downloaded file, refer to the following link.

    https://aws.amazon.com/blogs/security/how-to-encrypt-and-decrypt-your-data-with-the-aws-encryption-cli/

  7. Import the decrypted file to the local machine.

    For more information about importing the decrypted file, refer to Import Data/Configurations from a File.