This is an enterprise-only feature. Request a 30-day trial license to try it out.
The ALTER BACKUP
statement allows for new KMS encryption keys to be applied to an existing chain of encrypted backups (full and incremental). Each ALTER BACKUP
statement must include the new KMS encryption key with NEW_KMS
, and use WITH OLD_KMS
to refer to at least one of the KMS URIs that were originally used to encrypt the backup.
After an ALTER BACKUP
statement successfully completes, subsequent BACKUP
, RESTORE
, and SHOW BACKUP
statements can use any of the existing or new KMS URIs to decrypt the backup.
CockroachDB supports AWS, Azure, and Google Cloud KMS keys. For more detail on encrypted backups and restores, see Take and Restore Encrypted Backups.
Synopsis
Parameters
Parameter | Description |
---|---|
subdirectory |
The subdirectory containing the target full backup at the given collectionURI . |
LATEST |
The most recent backup at the given collectionURI . |
collectionURI |
The URI that holds the backup collection. |
ADD NEW_KMS |
Apply the new KMS encryption key to the target backup. |
WITH OLD_KMS |
Reference one of the existing KMS URI(s) originally used to encrypt the backup. |
kmsURI |
The URI for the KMS key. |
Required privileges
ALTER BACKUP
can only be run by members of theadmin
role. By default, theroot
user belongs to theadmin
role.ALTER BACKUP
requires full read and write permissions to the target cloud storage bucket.
The backup collection's URI does not require the admin
role when using s3
, azure
, or gs
with specified
credentials. The backup collection's URI does require the admin
role when using s3
, azure
, or gs
with implicit
credentials.
We recommend using cloud storage.
Examples
ALTER BACKUP
will apply the new encryption information to the entire chain of backups (full and incremental).
When running ALTER BACKUP
with a subdirectory, the statement must point to a full backup in the backup collection.
See Cloud Storage Authentication for more detail on authenticating to your cloud storage bucket.
Add an AWS KMS key to an encrypted backup
To add a new KMS key to the most recent backup:
ALTER BACKUP LATEST IN 's3://{BUCKET NAME}?AWS_ACCESS_KEY_ID={KEY ID}&AWS_SECRET_ACCESS_KEY={SECRET ACCESS KEY}'
ADD NEW_KMS = 'aws:///{new-key}?AWS_ACCESS_KEY_ID={KEY ID}&AWS_SECRET_ACCESS_KEY={SECRET ACCESS KEY}®ION={location}'
WITH OLD_KMS = 'aws:///{old-key}?AWS_ACCESS_KEY_ID={KEY ID}&AWS_SECRET_ACCESS_KEY={SECRET ACCESS KEY}®ION={location}';
To add a new KMS key to a specific backup, issue an ALTER BACKUP
statement that points to the full backup:
ALTER BACKUP '2022/03/23-213101.37' IN 's3://{BUCKET NAME}?AWS_ACCESS_KEY_ID={KEY ID}&AWS_SECRET_ACCESS_KEY={SECRET ACCESS KEY}'
ADD NEW_KMS = 'aws:///{new-key}?AWS_ACCESS_KEY_ID={KEY ID}&AWS_SECRET_ACCESS_KEY={SECRET ACCESS KEY}®ION={location}'
WITH OLD_KMS = 'aws:///{old-key}?AWS_ACCESS_KEY_ID={KEY ID}&AWS_SECRET_ACCESS_KEY={SECRET ACCESS KEY}®ION={location}';
To list backup directories at a collection's URI, see SHOW BACKUP
.
Add an Azure KMS key to an encrypted backup
New in v23.1:
To add a new KMS key to the most recent backup:
ALTER BACKUP LATEST IN 'azure://{container name}?AUTH=specified&AZURE_ACCOUNT_NAME={account name}&AZURE_CLIENT_ID={client ID}&AZURE_CLIENT_SECRET={client secret}&AZURE_TENANT_ID={tenant ID}'
ADD NEW_KMS = 'azure-kms:///{new key}/{new key version}?AZURE_TENANT_ID={tenant ID}&AZURE_CLIENT_ID={client ID}&AZURE_CLIENT_SECRET={client secret}&AZURE_VAULT_NAME={key vault name}'
WITH OLD_KMS = 'azure-kms:///{old key}/{old key version}?AZURE_TENANT_ID={tenant ID}&AZURE_CLIENT_ID={client ID}&AZURE_CLIENT_SECRET={client secret}&AZURE_VAULT_NAME={key vault name}';
To add a new KMS key to a specific backup, issue an ALTER BACKUP
statement that points to the full backup:
ALTER BACKUP '2023/03/14-203808.29' IN 'azure://{container name}?AUTH=specified&AZURE_ACCOUNT_NAME={account name}&AZURE_CLIENT_ID={client ID}&AZURE_CLIENT_SECRET={client secret}&AZURE_TENANT_ID={tenant ID}'
ADD NEW_KMS = 'azure-kms:///{new key}/{new key version}?AZURE_TENANT_ID={tenant ID}&AZURE_CLIENT_ID={client ID}&AZURE_CLIENT_SECRET={client secret}&AZURE_VAULT_NAME={key vault name}'
WITH OLD_KMS = 'azure-kms:///{old key}/{old key version}?AZURE_TENANT_ID={tenant ID}&AZURE_CLIENT_ID={client ID}&AZURE_CLIENT_SECRET={client secret}&AZURE_VAULT_NAME={key vault name}';
To list backup directories at a collection's URI, see SHOW BACKUP
.
Add a Google Cloud KMS key to an encrypted backup
To add a new KMS key to the most recent backup:
ALTER BACKUP LATEST IN 'gs://{BUCKET NAME}?AUTH=specified&CREDENTIALS={ENCODED KEY}'
ADD NEW_KMS = 'gs:///projects/{project name}/locations/{location}/keyRings/{key ring name}/cryptoKeys/{new key}?AUTH=specified&CREDENTIALS={encoded key}'
WITH OLD_KMS = 'gs:///projects/{project name}/locations/{location}/keyRings/{key ring name}/cryptoKeys/{old key}?AUTH=specified&CREDENTIALS={encoded key}';
To add a new KMS key to a specific backup, issue an ALTER BACKUP
statement that points to the full backup:
ALTER BACKUP '2022/03/23-213101.37' IN 'gs://{BUCKET NAME}?AUTH=specified&CREDENTIALS={ENCODED KEY}'
ADD NEW_KMS = 'gs:///projects/{project name}/locations/{location}/keyRings/{key ring name}/cryptoKeys/{new key}?AUTH=specified&CREDENTIALS={encoded key}'
WITH OLD_KMS = 'gs:///projects/{project name}/locations/{location}/keyRings/{key ring name}/cryptoKeys/{old key}?AUTH=specified&CREDENTIALS={encoded key}';
To list backup directories at a collection's URI, see SHOW BACKUP
.