Background: We have multiple Amazon RDS instances hosting SQL Server databases, these are backed up regularly using native backup, and provide a KMS key for encryption. We provide the same KMS key again when using the native restore on an RDS instance, and this works just fine.
I now need a means of downloading and decrypting these backups so that I can restore them on a Windows instance. Downloading files was easy, but decrypting has been more challenging. My code looks something like this:
var request = new GetObjectRequest
{
BucketName = myBucketName,
Key = myBackupsKeyName
};
using (var client = new AmazonS3EncryptionClient(RegionEndpoint.EUWest1,
new EncryptionMaterials(myKmsId)))
{
using (var response = await client.GetObjectAsync(request))
{
await response.WriteResponseStreamToFileAsync(myFilePath,
false, new CancellationToken());
}
}
I'm getting an error message that sounds like the file isn't even encrypted using KMS:
'Error decrypting non-KMS envelope key. EncryptionMaterials must have the AsymmetricProvider or SymmetricProvider set.'
What am I doing wrong?
You need to make an unencrypted backup to S3, and then download it. Encrypted backups can only be restored within RDS itself.
Make sure you are using the proper procedures for Native Backup and Restore
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/SQLServer.Procedural.Importing.html
exec msdb.dbo.rds_backup_database
@source_db_name='database_name',
@s3_arn_to_backup_to='arn:aws:s3:::bucket_name/file_name_and_extension',
@overwrite_S3_backup_file=1,
@type='differential';