Search code examples
amazon-s3gitlabamazon-kms

Use KMS for backing up Gitlab to S3

I am trying to add KMS encryption to our backups of Gitlab in S3. I am aware that it is possible to use S3-managed Keys for this, but is there an option to use KMS instead?

gitlab_rails['backup_upload_connection'] = {
'provider' => 'AWS',
'region' => 'eu-west-1',
'aws_access_key_id' => 'AKIAKIAKI',
'aws_secret_access_key' => 'secret123'
# If using an IAM Profile, don't configure aws_access_key_id & 
aws_secret_access_key
# 'use_iam_profile' => true
}
gitlab_rails['backup_upload_remote_directory'] = 'my.s3.bucket'

If I add gitlab_rails['backup_encryption'] = 'AES256' it uses the S3-managed keys. I've been unable to find any info about this in the official documentation.

If it's not possible there are alternative solutions but it would be convenient if it could be handled here.

Solution

  • CAVEAT: validated with Omnibus GitLab 12.3 and Amazon Linux 2. It may not work without modifications otherwise.

    AWS KMS isn't supported for backup upload as of GitLab 12.3.

    For AWS KMS, you'll need to upload the backups after running gitlab-backup create using a script like this (run as root or with sudo):

    aws s3 cp $(find /var/opt/gitlab/backups -type f -name '*_gitlab_backup.tar' |
            sort -r | head -n1) "s3://{YOUR_BACKUP_BUCKET_NAME}/" \
  --sse aws:kms --sse-kms-key-id 'alias/your-cmk-alias'

    You can also use a KMS key ID directly instead if you prefer.

    Make sure your instance IAM Role has:

    • s3:PutObject to the bucket path where your backups will be stored
    • kms:GenerateDataKey to the ARN of KMS key you are using to encrypt the backups
    • kms:ListAliases to the ARN of the KMS key (not its alias!) if you want to use a KMS key alias as I have (KMS key aliases interact strangely with IAM, so YMMV)

    If you want the instance to be able run automatic restores from S3, include the following: - s3:GetObject from the bucket path where your backups will be stored - kms:Decrypt to the ARN of KMS key you are using to encrypt the backups

    Alternative: SSE-C

    If you want to do SSE-C instead, you can.

    Here's an example doing SSE-C backups to S3 from GitLab running on EC2:

    gitlab_rails['backup_upload_connection'] = {
  'provider' => 'AWS',
  'region' => 'ca-central-1',
  'use_iam_profile' => true
}
gitlab_rails['backup_upload_encryption'] = 'AES256'
gitlab_rails['backup_upload_encryption_key'] = '{YOUR_SSE_C_KEY_BASE64_ENCODED}'
gitlab_rails['backup_upload_remote_directory'] = '{YOUR_BACKUP_BUCKET_NAME}'