Backup SecureCircle SaaS Database Externally
  • 26 Mar 2021
  • 3 Minutes to read
  • Dark
  • PDF

Backup SecureCircle SaaS Database Externally

  • Dark
  • PDF

The SecureCircle SaaS DB is hosted on highly-available, fault tolerant infrastructure able to withstand outages and storage losses without losing data. Additionally, as part of the SaaS service, snapshots of the SaaS DB are routinely taken and stored in case recovery from a certain point in time is necessary. It is not necessary for customers to backup or manage the SaaS DB in any way. In some cases, however, it may be desirable to a customer for backups of the SaaS DB to be stored externally and retained by the customer. The following article describes the information needed by SecureCircle to provide this service, if it is desired.

Customer Prerequisites

SecureCircle needs some information from customers in order to enable the optional external SaaS DB backup service. The following are prerequisites from which the information is provided.

  • Customer-hosted Amazon S3 (AWS S3) bucket hosted in the same AWS region as the customer's SecureCircle SaaS environment. The bucket must be able to be configured with an access policy that allows an AWS IAM role in the SecureCircle SaaS AWS account the ListBucket permission to the bucket and the PutObject and PutObject ACL permissions to a wildcard-terminated prefix (e.g., prefix/for/securecircle/backups/*) in the bucket.
  • Customer-provided RSA public key (e.g, the public key from the openssl genrsa command) for encrypting the randomly-generated symmetric keys that are used to encrypt database backups before uploading them to the given S3 bucket.

Information to Provide to SecureCircle

Information Details Example
AWS S3 Bucket Name The S3 bucket to which DB backups will be uploaded. Note: the bucket must be in the same region as the SecureCircle SaaS environment. my-unique-s3-bucket-name
AWS S3 Object Prefix The prefix with which DB backup keys will begin. backups/securecircle-db/
RSA Public Key (as PEM-encoded data) The public key with which the randomly-generated, per-backup symmetric keys that encrypt the DB backups will be encrypted. Note: it is critical that the RSA Private Key be accessible to the customer in order to decrypt DB backups. It should be stored in a safe place. It is also possible to rotate the key by supplying SecureCircle with a new RSA Public Key. $ openssl genrsa -out testkey.pem 4096 $ openssl rsa -in testkey.pem -pubout -
Desired Backup Time and Frequency The desired frequency of DB backups, with a maximum frequency of daily. Backups will occur weekly on Sunday at 12AM GMT unless otherwise specified Weekly, Saturdays at 6PM Eastern Time

Example Public Key

-----END PUBLIC KEY----- |

S3 Bucket ACL

After supplying the above information to SecureCircle, SecureCircle will supply an S3 bucket policy that will need to be added to the customer's S3 bucket to allow SecureCircle's DB export service to upload data to the bucket. The policy can be assigned to the S3 bucket by navigating to the following:

  1. Navigate to
  2. Select the S3 bucket and navigate to the "Permissions" tab.
  3. Click the Bucket Policy button.

The following is an example bucket policy.

    "Version": "2012-10-17",
    "Id": "Policy1567731399472",
    "Statement": [
            "Sid": "Stmt1567731395926",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::925201460575:role/saas-db-external-backup-role"
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::my-unique-s3-bucket-name"
            "Sid": "Stmt1567731395927",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::925201460575:role/saas-db-external-backup-role"
            "Action": [
            "Resource": "arn:aws:s3:::my-unique-s3-bucket-name/backups/securecircle-db/*"

Decrypting Uploaded Backups

Each export puts two objects in the S3 bucket: a gzipped, mysqldump-generated DB backup and a symmetric key that was used to encrypt the DB gzip file, itself encrypted by the customer-supplied public key.


The using the customer's private RSA key, the openssl rsautl command can be used to decrypt the encrypted symmetric key, which can then be used to decrypt the DB backup. The following is an example.

$ openssl enc -d -aes-256-cbc -in 1567744961188141183.sql.gz -pass pass:$(openssl rsautl -decrypt -inkey testkey.pem -in 1567744961188141183.sql.gz.key) | zcat | head
-- MySQL dump 10.14  Distrib 5.5.62-MariaDB, for Linux (x86_64)
-- Host:    Database: System
-- ------------------------------------------------------
-- Server version   5.7.22-log
/*!40101 SET NAMES utf8 */;

Was this article helpful?