Backup SecureCircle SaaS Database Externally
  • 17 Oct 2020
  • 3 Minutes To Read
  • Print
  • Share
  • Dark
    Light

Backup SecureCircle SaaS Database Externally

  • Print
  • Share
  • Dark
    Light

The SecureCircle SaaS DB is hosted on highly-available, fault tolerant infrastructure able to withstand outages and storage losses without losing data. Additionally, as part of the SaaS service, snapshots of the SaaS DB are routinely taken and stored in case recovery from a certain point in time is necessary. It is not necessary for customers to backup or manage the SaaS DB in any way. In some cases, however, it may be desirable to a customer for backups of the SaaS DB to be stored externally and retained by the customer. The following article describes the information needed by SecureCircle to provide this service, if it is desired.

Customer Prerequisites

SecureCircle needs some information from customers in order to enable the optional external SaaS DB backup service. The following are prerequisites from which the information is provided.

  • Customer-hosted Amazon S3 (AWS S3) bucket hosted in the same AWS region as the customer's SecureCircle SaaS environment. The bucket must be able to be configured with an access policy that allows an AWS IAM role in the SecureCircle SaaS AWS account the ListBucket permission to the bucket and the PutObject and PutObject ACL permissions to a wildcard-terminated prefix (e.g., prefix/for/securecircle/backups/*) in the bucket.
  • Customer-provided RSA public key (e.g, the public key from the openssl genrsa command) for encrypting the randomly-generated symmetric keys that are used to encrypt database backups before uploading them to the given S3 bucket.

Information to Provide to SecureCircle

Information Details Example
AWS S3 Bucket Name The S3 bucket to which DB backups will be uploaded. Note: the bucket must be in the same region as the SecureCircle SaaS environment. my-unique-s3-bucket-name
AWS S3 Object Prefix The prefix with which DB backup keys will begin. backups/securecircle-db/
RSA Public Key (as PEM-encoded data) The public key with which the randomly-generated, per-backup symmetric keys that encrypt the DB backups will be encrypted. Note: it is critical that the RSA Private Key be accessible to the customer in order to decrypt DB backups. It should be stored in a safe place. It is also possible to rotate the key by supplying SecureCircle with a new RSA Public Key. $ openssl genrsa -out testkey.pem 4096 $ openssl rsa -in testkey.pem -pubout -
Desired Backup Time and Frequency The desired frequency of DB backups, with a maximum frequency of daily. Backups will occur weekly on Sunday at 12AM GMT unless otherwise specified Weekly, Saturdays at 6PM Eastern Time

Example Public Key

----BEGIN PUBLIC KEY---MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyYNS07vi77w35skcytSF
sEuyaVrNbMuIIxhddinvmMcbppc6XyDMVjep8IBpkh1TbjabSR28bDz0TNfdr+ol
9RH4seIUvJMskwRWsrWV1NHgulvBe+QsmNyI+OSQPwAsXuWHOH6TR1gKz6N3t8Dl
P69kAPDhnKj/o+BvKu+ug5ZI9KgkPsDRGWkCSKhZqDTElBN1RzfR7EOK5XaYglZ8
Cc4VDE78OPVCy6yl/hrcj2R6TPKxsLRlD3/6IknEIvNcqTKHWXiILZ1brFhl9f2i
t7l4FVyhFXbHztd5VTPhnNy8+T5Fz2Ht8yjyioxmWKqfD09uEneJpE8ijCDU3fdA
Ux1eS0bS7Z7JDWLmp7piomPsIJviQRKziln8gADGYjRNpJ4ubc+O2c1pfNxnLoI9
9N6l24GVn1diu7NLxOj0BAkiz2r11LapKnDGQwvDULALs1E51WStpqo5K7GPhgS/
dBmNaoG9s0MQ9+A3qtaGWweWnTa2gLL6ZetZSuvjDpnkpXe/GqGKSKiCkT87xDrz
Bmaz3CUYa5Rm9t8NYpEVho4WR5UUM22tepzh2UwnaVA8HH5acNJVzE/U+qvaFw8f
PawEPRmoiDGi1h6OcjBML4csnft65B7guibvBEO7qdz7iWx+9aXnnHIV6/DivxLg
OXx59s9iSA7xi09jiaha9ucCAwEAAQ==
-----END PUBLIC KEY----- |

S3 Bucket ACL

After supplying the above information to SecureCircle, SecureCircle will supply an S3 bucket policy that will need to be added to the customer's S3 bucket to allow SecureCircle's DB export service to upload data to the bucket. The policy can be assigned to the S3 bucket by navigating to the following:

  1. Navigate to https://s3.console.aws.amazon.com/s3/buckets/
  2. Select the S3 bucket and navigate to the "Permissions" tab.
  3. Click the Bucket Policy button.

The following is an example bucket policy.

{
    "Version": "2012-10-17",
    "Id": "Policy1567731399472",
    "Statement": [
        {
            "Sid": "Stmt1567731395926",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::925201460575:role/saas-db-external-backup-role"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::my-unique-s3-bucket-name"
        },
        {
            "Sid": "Stmt1567731395927",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::925201460575:role/saas-db-external-backup-role"
            },
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::my-unique-s3-bucket-name/backups/securecircle-db/*"
        }
    ]
}

Decrypting Uploaded Backups

Each export puts two objects in the S3 bucket: a gzipped, mysqldump-generated DB backup and a symmetric key that was used to encrypt the DB gzip file, itself encrypted by the customer-supplied public key.

backup.png

The using the customer's private RSA key, the openssl rsautl command can be used to decrypt the encrypted symmetric key, which can then be used to decrypt the DB backup. The following is an example.

$ openssl enc -d -aes-256-cbc -in 1567744961188141183.sql.gz -pass pass:$(openssl rsautl -decrypt -inkey testkey.pem -in 1567744961188141183.sql.gz.key) | zcat | head
-- MySQL dump 10.14  Distrib 5.5.62-MariaDB, for Linux (x86_64)
--
-- Host: obfuscated.us-east-2.rds.amazonaws.com    Database: System
-- ------------------------------------------------------
-- Server version   5.7.22-log
 
/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;
Was This Article Helpful?