Backup Encryption
- The snapshot of an encrypted database is encrypted as well.
The snapshot of an unencrypted database is not uncrypted. -
Logical-backup encryption is not supported by RavenDB 4.0 and 4.1.
-
In this page:
Introduction
RavenDB's Security Approach
Encrypting backup files is just one respect of RavenDB's comprehensive security approach.
Other respects are implemented in -
- Database encryption
- Securing server-client communication using Authentication and certification.
Enable Secure Communication
RavenDB emphasizes the importance of overall security, by allowing encryption of the database only when server-client communication is authenticated and certified.
-
Enabling authentication and certification
Enable secure client-server communication during the server setup, either manually or using the setup-wizard. -
Client authentication procedure
When authentication is enabled, clients are required to certify themselves in order to connect the server.
Here's a code sample for this procedure:
// path to the certificate you received during the server setup var cert = new X509Certificate2(@"C:\Users\RavenDB\authentication_key\admin.client.certificate.RavenDBdom.pfx"); using (var docStore = new DocumentStore { Urls = new[] { "https://a.RavenDBdom.development.run" }, Database = "encryptedDatabase", Certificate = cert }.Initialize()) { // Backup & Restore here }
Logical-Backup Encryption
Logical-backup encryption is not supported by RavenDB 4.0 and 4.1.
Snapshot Encryption
Creating an Encrypted Snapshot
A snapshot is an exact copy of the database files. If the database is encrypted, so would be its snapshot. If the database is not encrypted, the snapshot wouldn't be either.
- If you want your snapshot to be encrypted, take the snapshot of an encrypted database.
- Include the client authentication procedure in your code.
- Create a snapshot as you normally would.
The incremental backups of an encrypted snapshot are not encrypted.
Restoring an Encrypted Snapshot
Restoring an encrypted snapshot is almost identical to restoring an unencrypted one.
- Include the client authentication procedure in your code.
- Pass RestoreBackupOperation an encryption key, using
restoreConfiguration.EncryptionKey
.
Use the same secret key used to encrypt the database. - Code sample:
// restore encrypted database // restore configuration var restoreConfiguration = new RestoreBackupConfiguration(); //New database name restoreConfiguration.DatabaseName = "newEncryptedDatabase"; //Backup-file location var backupPath = @"C:\Users\RavenDB\2019-01-06-11-11.ravendb-encryptedDatabase-A-snapshot"; restoreConfiguration.BackupLocation = backupPath; restoreConfiguration.EncryptionKey = "1F0K2R/KkcwbkK7n4kYlv5eqisy/pMnSuJvZ2sJ/EKo="; var restoreBackupTask = new RestoreBackupOperation(restoreConfiguration); docStore.Maintenance.Server.Send(restoreBackupTask);