Kasten Encryption: A Technical Overview

Kasten Encryption: A Technical Overview

Reading Time: 4 minutes

Question of every blog: Did you hear about Kasten by Veeam? If not, you’re probably missing one of the powerful products.

As a start, you can take a look at my older blogs about Kasten from here, here, and here.

Got my point and now you want to know more about Kasten? Let’s talk this time about Kasten encryption.

Kasten encryption is the security feature of Kasten K10. This blog focuses on studying the details of Kasten’s encryption algorithms.

1- Encryption at Rest

Kasten K10 implements robust encryption at rest to protect sensitive data stored within the platform and in backup locations.

Key Management

Kasten utilizes a hierarchical key management system:

  1. Master Key: A root encryption key that protects all other keys.
  2. Data Encryption Keys (DEKs): Unique keys are generated for each backup or data object.

The master key can be managed through various methods:

  • Kubernetes Secrets (default)
  • HashiCorp Vault
  • AWS Key Management Service (KMS)
  • Azure Key Vault
  • Google Cloud KMS

Encryption Process

  1. When a backup is initiated, Kasten generates a new DEK (Data Encryption Key).
  2. The DEK is used to encrypt the backup data using AES-256 encryption.
  3. The DEK itself is then encrypted using the master key.
  4. The encrypted DEK is stored alongside the encrypted backup data.

This approach allows for efficient key rotation and granular access control.

2- Encryption in Transit

To secure data as it moves between components and to backup locations, Kasten employs:

  • TLS 1.2+ for all API communications
  • HTTPS for web interface access
  • Encrypted tunnels (e.g., SSH) for certain backup transports

Application-Aware Encryption

Kasten K10 is designed to be application-aware, which extends to its encryption capabilities:

  • For databases, Kasten can leverage native encryption features (e.g., Transparent Data Encryption in SQL Server) in addition to its encryption layer.
  • Application-specific encryption keys can be captured and securely stored as part of the backup process.

Compliance and Auditing

To meet regulatory requirements and facilitate security audits, Kasten provides:

  • Detailed encryption logs
  • Key usage and rotation history
  • Integration with external SIEM systems

Performance Considerations

Encryption inevitably adds some overhead to backup and restore operations. Kasten mitigates this through:

  • Hardware-accelerated encryption when available
  • Parallel encryption processes
  • Intelligent caching of frequently accessed encrypted data

Decryption and Recovery

The decryption process reverses the encryption steps:

  1. The encrypted DEK is retrieved and decrypted using the master key.
  2. The decrypted DEK is then used to decrypt the backup data.

In disaster recovery scenarios, Kasten ensures that the master key is securely available to authorized personnel to enable data recovery.

Technical Implementation Steps

Let’s walk through some practical steps and scripts for implementing and managing Kasten encryption in a Kubernetes environment. Of course, there is a perfect guide to configure Kasten encryption, but I am trying to simplify the steps as much as I can.

1. Installing Kasten K10 with Custom Encryption Settings

To install Kasten K10 with custom encryption settings, you can use a Helm chart with custom values. Noting that. all those steps are done on a test environment on AWS. Here’s an example:

# Create a custom values file
cat << EOF > k10-custom-values.yaml
secrets:
  encryption:
    key: ${ENCRYPTION_KEY}
    backend: ${ENCRYPTION_BACKEND}
EOF
# Install Kasten K10 with custom encryption settings
helm install k10 kasten/k10 --namespace=kasten-io \
  --set auth.tokenAuth.enabled=true \
  --set injectKanisterSidecar.enabled=true \
  --set-file license=${K10_LICENSE_FILE} \
  -f k10-custom-values.yaml

Replace ${ENCRYPTION_KEY} with your base64-encoded encryption key and ${ENCRYPTION_BACKEND} with your chosen backend (e.g., k8ssecret, awskms, azurekeyvault, gcpkms, or vault) as I previously mentioned.

2. Configuring AWS KMS for Encryption

If you’re using AWS KMS for key management, you’ll need to set up the necessary permissions and configure Kasten to use it:

  1. Create an IAM policy:
{
    "Version": "X/X/X",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
            # This is done using AWSKMS
        }
    ]
}

2. Attach this policy to the IAM role used by your Kubernetes nodes.

3. Configure Kasten to use AWS KMS:

secrets:
  encryption:
    backend: awskms
    awskms:
      region: us-west-2
      kmsKeyId: "1234abcd-12ab-34cd-56ef-1234567890ab"

3. Implementing Custom Key Rotation

To implement custom key rotation, you can use the Kasten K10 API. Here’s a Python script that demonstrates the process:

import requests
import base64
import os

K10_API_URL = "http://k10-api.kasten-io.svc.cluster.local:8000/v1"
NEW_KEY = base64.b64encode(os.urandom(32)).decode('utf-8')

# Authenticate and get token
auth_response = requests.post(f"{K10_API_URL}/auth", json={
    "username": "admin",
    "password": "your-password"
})
token = auth_response.json()["token"]

# Rotate the encryption key
rotate_response = requests.post(f"{K10_API_URL}/crypto/keys/rotate", 
    headers={"Authorization": f"Bearer {token}"},
    json={"newKey": NEW_KEY}
)

if rotate_response.status_code == 200:
    print("Key rotation successful")
else:
    print(f"Key rotation failed: {rotate_response.text}")

4. Verifying Encryption Status

You can use the Kasten K10 CLI to verify the encryption status of your backups:

# Install the Kasten K10 CLI
curl https://docs.kasten.io/tools/k10multicluster/install.sh | bash

# Verify encryption status of a specific backup
k10multicluster get backup <backup-name> -n kasten-io | grep Encryption

5. Decrypting Data for Recovery

In a disaster recovery scenario, you may need to manually decrypt data. Here’s a conceptual Python script that demonstrates the process:

from cryptography.fernet import Fernet
import base64

def decrypt_data(encrypted_data, master_key, encrypted_dek):
    # Decrypt the DEK using the master key
    fernet = Fernet(master_key)
    dek = fernet.decrypt(encrypted_dek)
    
    # Use the DEK to decrypt the data
    fernet = Fernet(dek)
    decrypted_data = fernet.decrypt(encrypted_data)
    
    return decrypted_data

# In a real scenario, you would securely retrieve these values
master_key = b'your-base64-encoded-master-key'
encrypted_dek = b'your-encrypted-dek'
encrypted_data = b'your-encrypted-backup-data'

decrypted_data = decrypt_data(encrypted_data, master_key, encrypted_dek)
print("Decrypted data:", decrypted_data)

Note: This is a simplified example. In practice, you would need to handle key retrieval securely and potentially deal with large volumes of data in chunks.

Final thought

These technical steps and scripts provide a starting point for implementing and managing Kasten encryption in your Kubernetes environment. Always refer to the official Kasten documentation for the most up-to-date and comprehensive information, especially when dealing with sensitive encryption operations.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *