This is an enterprise-only feature. You can use free trial credits to try it out.
The ALTER BACKUP
statement allows for new KMS encryption keys to be applied to an existing chain of encrypted backups (full and incremental). Each ALTER BACKUP
statement must include the new KMS encryption key with NEW_KMS
, and use WITH OLD_KMS
to refer to at least one of the KMS URIs that were originally used to encrypt the backup.
After an ALTER BACKUP
statement successfully completes, subsequent BACKUP
, RESTORE
, and SHOW BACKUP
statements can use any of the existing or new KMS URIs to decrypt the backup.
CockroachDB supports AWS and Google Cloud KMS keys. For more detail on encrypted backups and restores, see Take and Restore Encrypted Backups.
Synopsis
Parameters
Parameter | Description |
---|---|
subdirectory |
The subdirectory containing the target full backup at the given collectionURI . |
LATEST |
The most recent backup at the given collectionURI . |
collectionURI |
The URI that holds the backup collection. |
ADD NEW_KMS |
Apply the new KMS encryption key to the target backup. |
WITH OLD_KMS |
Reference one of the existing KMS URI(s) originally used to encrypt the backup. |
kmsURI |
The URI for the KMS key. |
Required privileges
ALTER BACKUP
can only be run by members of theadmin
role. By default, theroot
user belongs to theadmin
role.ALTER BACKUP
requires full read and write permissions to the target cloud storage bucket.
The backup collection's URI does not require the admin
role when using s3
or gs
using SPECIFIED
credentials. The backup collection's URI does require the admin
role when using s3
or gs
with IMPLICIT
credentials.
We recommend using cloud storage for CockroachDB operations.
Examples
ALTER BACKUP
will apply the new encryption information to the entire chain of backups (full and incremental).
When running ALTER BACKUP
with a subdirectory, the statement must point to a full backup in the backup collection.
See Cloud Storage Authentication for more detail on authenticating to your cloud storage bucket.
Add an AWS KMS key to an encrypted backup
To add a new KMS key to the most recent backup:
ALTER BACKUP LATEST IN 's3://{BUCKET NAME}?AWS_ACCESS_KEY_ID={KEY ID}&AWS_SECRET_ACCESS_KEY={SECRET ACCESS KEY}'
ADD NEW_KMS = 'aws:///{new-key}?AWS_ACCESS_KEY_ID={KEY ID}&AWS_SECRET_ACCESS_KEY={SECRET ACCESS KEY}®ION={location}'
WITH OLD_KMS = 'aws:///{old-key}?AWS_ACCESS_KEY_ID={KEY ID}&AWS_SECRET_ACCESS_KEY={SECRET ACCESS KEY}®ION={location}';
To add a new KMS key to a specific backup, issue an ALTER BACKUP
statement that points to the full backup:
ALTER BACKUP '2022/03/23-213101.37' IN 's3://{BUCKET NAME}?AWS_ACCESS_KEY_ID={KEY ID}&AWS_SECRET_ACCESS_KEY={SECRET ACCESS KEY}'
ADD NEW_KMS = 'aws:///{new-key}?AWS_ACCESS_KEY_ID={KEY ID}&AWS_SECRET_ACCESS_KEY={SECRET ACCESS KEY}®ION={location}'
WITH OLD_KMS = 'aws:///{old-key}?AWS_ACCESS_KEY_ID={KEY ID}&AWS_SECRET_ACCESS_KEY={SECRET ACCESS KEY}®ION={location}';
To list backup directories at a collection's URI, see SHOW BACKUP
.
Add a Google Cloud KMS key to an encrypted backup
To add a new KMS key to the most recent backup:
ALTER BACKUP LATEST IN 'gs://{BUCKET NAME}?AUTH=specified&CREDENTIALS={ENCODED KEY}'
ADD NEW_KMS = 'gs:///projects/{project name}/locations/{location}/keyRings/{key ring name}/cryptoKeys/{new key}?AUTH=specified&CREDENTIALS={encoded key}'
WITH OLD_KMS = 'gs:///projects/{project name}/locations/{location}/keyRings/{key ring name}/cryptoKeys/{old key}?AUTH=specified&CREDENTIALS={encoded key}';
To add a new KMS key to a specific backup, issue an ALTER BACKUP
statement that points to the full backup:
ALTER BACKUP '2022/03/23-213101.37' IN 'gs://{BUCKET NAME}?AUTH=specified&CREDENTIALS={ENCODED KEY}'
ADD NEW_KMS = 'gs:///projects/{project name}/locations/{location}/keyRings/{key ring name}/cryptoKeys/{new key}?AUTH=specified&CREDENTIALS={encoded key}'
WITH OLD_KMS = 'gs:///projects/{project name}/locations/{location}/keyRings/{key ring name}/cryptoKeys/{old key}?AUTH=specified&CREDENTIALS={encoded key}';
To list backup directories at a collection's URI, see SHOW BACKUP
.