Question of every blog: Did you hear about Kasten by Veeam? If not, you’re probably missing one of the powerful products.
As a start, you can take a look at my older blogs about Kasten from here, here, and here.
Got my point and now you want to know more about Kasten? Let’s talk this time about Kasten encryption.
Kasten encryption is the security feature of Kasten K10. This blog focuses on studying the details of Kasten’s encryption algorithms.
1- Encryption at Rest
Kasten K10 implements robust encryption at rest to protect sensitive data stored within the platform and in backup locations.
Key Management
Kasten utilizes a hierarchical key management system:
- Master Key: A root encryption key that protects all other keys.
- Data Encryption Keys (DEKs): Unique keys are generated for each backup or data object.
The master key can be managed through various methods:
- Kubernetes Secrets (default)
- HashiCorp Vault
- AWS Key Management Service (KMS)
- Azure Key Vault
- Google Cloud KMS
Encryption Process
- When a backup is initiated, Kasten generates a new DEK (Data Encryption Key).
- The DEK is used to encrypt the backup data using AES-256 encryption.
- The DEK itself is then encrypted using the master key.
- The encrypted DEK is stored alongside the encrypted backup data.
This approach allows for efficient key rotation and granular access control.
2- Encryption in Transit
To secure data as it moves between components and to backup locations, Kasten employs:
- TLS 1.2+ for all API communications
- HTTPS for web interface access
- Encrypted tunnels (e.g., SSH) for certain backup transports
Application-Aware Encryption
Kasten K10 is designed to be application-aware, which extends to its encryption capabilities:
- For databases, Kasten can leverage native encryption features (e.g., Transparent Data Encryption in SQL Server) in addition to its encryption layer.
- Application-specific encryption keys can be captured and securely stored as part of the backup process.
Compliance and Auditing
To meet regulatory requirements and facilitate security audits, Kasten provides:
- Detailed encryption logs
- Key usage and rotation history
- Integration with external SIEM systems
Performance Considerations
Encryption inevitably adds some overhead to backup and restore operations. Kasten mitigates this through:
- Hardware-accelerated encryption when available
- Parallel encryption processes
- Intelligent caching of frequently accessed encrypted data
Decryption and Recovery
The decryption process reverses the encryption steps:
- The encrypted DEK is retrieved and decrypted using the master key.
- The decrypted DEK is then used to decrypt the backup data.
In disaster recovery scenarios, Kasten ensures that the master key is securely available to authorized personnel to enable data recovery.
Technical Implementation Steps
Let’s walk through some practical steps and scripts for implementing and managing Kasten encryption in a Kubernetes environment. Of course, there is a perfect guide to configure Kasten encryption, but I am trying to simplify the steps as much as I can.
1. Installing Kasten K10 with Custom Encryption Settings
To install Kasten K10 with custom encryption settings, you can use a Helm chart with custom values. Noting that. all those steps are done on a test environment on AWS. Here’s an example:
# Create a custom values file
cat << EOF > k10-custom-values.yaml
secrets:
encryption:
key: ${ENCRYPTION_KEY}
backend: ${ENCRYPTION_BACKEND}
EOF
# Install Kasten K10 with custom encryption settings
helm install k10 kasten/k10 --namespace=kasten-io \
--set auth.tokenAuth.enabled=true \
--set injectKanisterSidecar.enabled=true \
--set-file license=${K10_LICENSE_FILE} \
-f k10-custom-values.yaml
Replace ${ENCRYPTION_KEY}
with your base64-encoded encryption key and ${ENCRYPTION_BACKEND}
with your chosen backend (e.g., k8ssecret
, awskms
, azurekeyvault
, gcpkms
, or vault
) as I previously mentioned.
2. Configuring AWS KMS for Encryption
If you’re using AWS KMS for key management, you’ll need to set up the necessary permissions and configure Kasten to use it:
- Create an IAM policy:
{
"Version": "X/X/X",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
# This is done using AWSKMS
}
]
}
2. Attach this policy to the IAM role used by your Kubernetes nodes.
3. Configure Kasten to use AWS KMS:
secrets:
encryption:
backend: awskms
awskms:
region: us-west-2
kmsKeyId: "1234abcd-12ab-34cd-56ef-1234567890ab"
3. Implementing Custom Key Rotation
To implement custom key rotation, you can use the Kasten K10 API. Here’s a Python script that demonstrates the process:
import requests
import base64
import os
K10_API_URL = "http://k10-api.kasten-io.svc.cluster.local:8000/v1"
NEW_KEY = base64.b64encode(os.urandom(32)).decode('utf-8')
# Authenticate and get token
auth_response = requests.post(f"{K10_API_URL}/auth", json={
"username": "admin",
"password": "your-password"
})
token = auth_response.json()["token"]
# Rotate the encryption key
rotate_response = requests.post(f"{K10_API_URL}/crypto/keys/rotate",
headers={"Authorization": f"Bearer {token}"},
json={"newKey": NEW_KEY}
)
if rotate_response.status_code == 200:
print("Key rotation successful")
else:
print(f"Key rotation failed: {rotate_response.text}")
4. Verifying Encryption Status
You can use the Kasten K10 CLI to verify the encryption status of your backups:
# Install the Kasten K10 CLI
curl https://docs.kasten.io/tools/k10multicluster/install.sh | bash
# Verify encryption status of a specific backup
k10multicluster get backup <backup-name> -n kasten-io | grep Encryption
5. Decrypting Data for Recovery
In a disaster recovery scenario, you may need to manually decrypt data. Here’s a conceptual Python script that demonstrates the process:
from cryptography.fernet import Fernet
import base64
def decrypt_data(encrypted_data, master_key, encrypted_dek):
# Decrypt the DEK using the master key
fernet = Fernet(master_key)
dek = fernet.decrypt(encrypted_dek)
# Use the DEK to decrypt the data
fernet = Fernet(dek)
decrypted_data = fernet.decrypt(encrypted_data)
return decrypted_data
# In a real scenario, you would securely retrieve these values
master_key = b'your-base64-encoded-master-key'
encrypted_dek = b'your-encrypted-dek'
encrypted_data = b'your-encrypted-backup-data'
decrypted_data = decrypt_data(encrypted_data, master_key, encrypted_dek)
print("Decrypted data:", decrypted_data)
Note: This is a simplified example. In practice, you would need to handle key retrieval securely and potentially deal with large volumes of data in chunks.
Final thought
These technical steps and scripts provide a starting point for implementing and managing Kasten encryption in your Kubernetes environment. Always refer to the official Kasten documentation for the most up-to-date and comprehensive information, especially when dealing with sensitive encryption operations.
Former Nuclear Engineer | University Lecturer | Technology Advisor | Digital Transformation evangelist | FinTech | Blockchain | Podcaster | vExpert ⭐️⭐️⭐️⭐️ | VeeamVanguard ⭐️⭐️ | Nutanix SME | MBA | AWS ABW Grant’23