Blog

Compression and Encryption in Aerospike’s Backup Tool — Asbackup

May 14, 2021 | 3 min read
clayton-knittel-f733175cd012e8b5b9e95480709ad423
Clayton Knittel
Aerospike Ecosystem Engineer

Aerospike Backup (asbackup)

Asbackup is Aerospike’s tool used to backup and restore namespaces in an Aerospike database. We have just added the ability to compress and encrypt backup files as they are being made. The method used operates on the data before it is written to the file, so even if a backup job is aborted before finishing, you will never have unencrypted data on disk.

How to: Compression

The compression algorithm used by asbackup is zstd compression. To run the backup tool with compression, use the --compress option followed by the compression algorithm to be used. As of right now, the only available compression algorithm is zstd.

Let’s assume you want to backup all records in the namespace test into a directory test_dir and compress the backup files, you’d run:

$ asbackup --namespace test --directory test_dir --compress zstd

And then, to restore the whole namespace, run asrestore with the same arguments.

$ asrestore --namespace test --directory test_dir --compress zstd

Note: --compress zstd must be passed to asrestore . Backup files do not know whether they have been encrypted/compressed, so you have to tell asrestore what format to expect the files in.

How to: Encryption

The encryption algorithms used by asbackup are AES 128/AES 256 in Counter (CTR) Mode. To run the backup tool with encryption, use the --encrypt option followed by the encryption algorithm to be used, either aes128 or aes256.

Encryption must always be accompanied by a private key, which can be supplied in a file in PEM format, or in base-64 encoding in an environment variable.

The size of the private key used does not matter, the SHA 256 hash of the key is taken and used as the private key by AES 128/AES 256.

Encryption with a private key file

To run a backup with AES 128 encryption and private key stored at /opt/private_key.pem, run:

$ asbackup --namespace test --directory test_dir --encrypt aes128 --encryption-key-file /opt/private_key.pem

And to restore from the encrypted backup files, run:

$ asrestore --namespace test --directory test_dir --encrypt aes128 --encryption-key-file /opt/private_key.pem

Encryption with a private key environment variable

If you want to run a backup with AES 128 encryption, and you have the private key stored in an environment variable (say it’s named AS_PRIVATE_KEY), run:

$ asbackup --namespace test --directory test_dir --encrypt aes128 --encryption-key-env AS_PRIVATE_KEY

And to restore from the encrypted backup files, run:

$ asrestore --namespace test --directory test_dir --encrypt aes128 --encryption-key-env AS_PRIVATE_KEY