ALTER BACKUP

On this page Carat arrow pointing down

The ALTER BACKUP statement allows for new KMS encryption keys to be applied to an existing chain of encrypted backups (full and incremental). Each ALTER BACKUP statement must include the new KMS encryption key with NEW_KMS, and use WITH OLD_KMS to refer to at least one of the KMS URIs that were originally used to encrypt the backup.

After an ALTER BACKUP statement successfully completes, subsequent BACKUP, RESTORE, and SHOW BACKUP statements can use any of the existing or new KMS URIs to decrypt the backup.

CockroachDB supports AWS, Azure, and Google Cloud KMS keys. For more detail on encrypted backups and restores, see Take and Restore Encrypted Backups.

Synopsis

ALTER BACKUP LATEST subdirectory IN collectionURI ADD NEW_KMS kmsURI WITH OLD_KMS kmsURI

Parameters

Parameter Description
subdirectory The subdirectory containing the target full backup at the given collectionURI.
LATEST The most recent backup at the given collectionURI.
collectionURI The URI that holds the backup collection.
ADD NEW_KMS Apply the new KMS encryption key to the target backup.
WITH OLD_KMS Reference one of the existing KMS URI(s) originally used to encrypt the backup.
kmsURI The URI for the KMS key.

Required privileges

  • ALTER BACKUP can only be run by members of the admin role. By default, the root user belongs to the admin role.
  • ALTER BACKUP requires full read and write permissions to the target cloud storage bucket.

The backup collection's URI does not require the admin role when using s3, azure, or gs with specified credentials. The backup collection's URI does require the admin role when using s3, azure, or gs with implicit credentials.

We recommend using cloud storage.

Examples

ALTER BACKUP will apply the new encryption information to the entire chain of backups (full and incremental).

Note:

When running ALTER BACKUP with a subdirectory, the statement must point to a full backup in the backup collection.

See Cloud Storage Authentication for more detail on authenticating to your cloud storage bucket.

Add an AWS KMS key to an encrypted backup

To add a new KMS key to the most recent backup:

icon/buttons/copy
ALTER BACKUP LATEST IN 's3://{BUCKET NAME}?AWS_ACCESS_KEY_ID={KEY ID}&AWS_SECRET_ACCESS_KEY={SECRET ACCESS KEY}'
    ADD NEW_KMS = 'aws:///{new-key}?AWS_ACCESS_KEY_ID={KEY ID}&AWS_SECRET_ACCESS_KEY={SECRET ACCESS KEY}&REGION={location}'
    WITH OLD_KMS = 'aws:///{old-key}?AWS_ACCESS_KEY_ID={KEY ID}&AWS_SECRET_ACCESS_KEY={SECRET ACCESS KEY}&REGION={location}';

To add a new KMS key to a specific backup, issue an ALTER BACKUP statement that points to the full backup:

icon/buttons/copy
ALTER BACKUP '2022/03/23-213101.37' IN 's3://{BUCKET NAME}?AWS_ACCESS_KEY_ID={KEY ID}&AWS_SECRET_ACCESS_KEY={SECRET ACCESS KEY}'
    ADD NEW_KMS = 'aws:///{new-key}?AWS_ACCESS_KEY_ID={KEY ID}&AWS_SECRET_ACCESS_KEY={SECRET ACCESS KEY}&REGION={location}'
    WITH OLD_KMS = 'aws:///{old-key}?AWS_ACCESS_KEY_ID={KEY ID}&AWS_SECRET_ACCESS_KEY={SECRET ACCESS KEY}&REGION={location}';

To list backup directories at a collection's URI, see SHOW BACKUP.

Add an Azure KMS key to an encrypted backup

New in v23.1:

To add a new KMS key to the most recent backup:

icon/buttons/copy
ALTER BACKUP LATEST IN 'azure-blob://{container name}?AUTH=specified&AZURE_ACCOUNT_NAME={account name}&AZURE_CLIENT_ID={client ID}&AZURE_CLIENT_SECRET={client secret}&AZURE_TENANT_ID={tenant ID}'
    ADD NEW_KMS = 'azure-kms:///{new key}/{new key version}?AZURE_TENANT_ID={tenant ID}&AZURE_CLIENT_ID={client ID}&AZURE_CLIENT_SECRET={client secret}&AZURE_VAULT_NAME={key vault name}'
    WITH OLD_KMS = 'azure-kms:///{old key}/{old key version}?AZURE_TENANT_ID={tenant ID}&AZURE_CLIENT_ID={client ID}&AZURE_CLIENT_SECRET={client secret}&AZURE_VAULT_NAME={key vault name}';

To add a new KMS key to a specific backup, issue an ALTER BACKUP statement that points to the full backup:

icon/buttons/copy
ALTER BACKUP '2023/03/14-203808.29' IN 'azure-blob://{container name}?AUTH=specified&AZURE_ACCOUNT_NAME={account name}&AZURE_CLIENT_ID={client ID}&AZURE_CLIENT_SECRET={client secret}&AZURE_TENANT_ID={tenant ID}'
    ADD NEW_KMS = 'azure-kms:///{new key}/{new key version}?AZURE_TENANT_ID={tenant ID}&AZURE_CLIENT_ID={client ID}&AZURE_CLIENT_SECRET={client secret}&AZURE_VAULT_NAME={key vault name}'
    WITH OLD_KMS = 'azure-kms:///{old key}/{old key version}?AZURE_TENANT_ID={tenant ID}&AZURE_CLIENT_ID={client ID}&AZURE_CLIENT_SECRET={client secret}&AZURE_VAULT_NAME={key vault name}';

To list backup directories at a collection's URI, see SHOW BACKUP.

Add a Google Cloud KMS key to an encrypted backup

To add a new KMS key to the most recent backup:

icon/buttons/copy
ALTER BACKUP LATEST IN 'gs://{BUCKET NAME}?AUTH=specified&CREDENTIALS={ENCODED KEY}'
    ADD NEW_KMS = 'gs:///projects/{project name}/locations/{location}/keyRings/{key ring name}/cryptoKeys/{new key}?AUTH=specified&CREDENTIALS={encoded key}'
    WITH OLD_KMS = 'gs:///projects/{project name}/locations/{location}/keyRings/{key ring name}/cryptoKeys/{old key}?AUTH=specified&CREDENTIALS={encoded key}';

To add a new KMS key to a specific backup, issue an ALTER BACKUP statement that points to the full backup:

icon/buttons/copy
ALTER BACKUP '2022/03/23-213101.37' IN 'gs://{BUCKET NAME}?AUTH=specified&CREDENTIALS={ENCODED KEY}'
    ADD NEW_KMS = 'gs:///projects/{project name}/locations/{location}/keyRings/{key ring name}/cryptoKeys/{new key}?AUTH=specified&CREDENTIALS={encoded key}'
    WITH OLD_KMS = 'gs:///projects/{project name}/locations/{location}/keyRings/{key ring name}/cryptoKeys/{old key}?AUTH=specified&CREDENTIALS={encoded key}';

To list backup directories at a collection's URI, see SHOW BACKUP.

See also


Yes No
On this page

Yes No