Security & encryption¶
Backup location¶
Backups are stored in Google Cloud Platform datacenters in us-central1 or eu-west4 regions based on a region selected during a cluster onboarding.
Encryption¶
All customer data is always encrypted, both in transit and at rest. We use TLS 1.2 with strong ciphers for all communications. For data at rest, we use AES 256-bit, one of the most secure encryption protocols.
You can learn more about security and privacy by visiting the page: https://afi.ai/compliance.
The following options for backup encryption are available:
- Afi-managed encryption key (default option) - an encryption key is provisioned automatically when Afi backup agent is installed in a Kubernetes cluster.
- Bring-Your-Own-Key (BYOK) - a KMS key managed by one of the following cloud providers: Google Cloud Platform (GCP), Amazon Web Services (AWS), and Microsoft Azure. This option provides additional control over the backup data and allows to comply with regulatory or contractual requirements if needed.
- Kubernetes Secret - an AES-256 encryption key stored inside a Kubernetes Secret object. With this option, all encryption and decryption operations happen inside a cluster.
Please note that data encryption and decryption with both Afi- and KMS-managed encryption keys require network connectivity with the Afi platform.
Also, if a BYOK or Kubernetes Secret key is deleted or lost, it is not possible to access or recover the encrypted backup data so we advise to:
- protect BYOK from deletion on KMS side if that's supported by KMS cloud provider,
- in case of a Kubernetes Secret key, make sure that the key copy is backed up in a safe location shared with several trusted service administrators.
Backup agent ⇔ Afi cloud communication
Backup agents depend on the cloud platform for all operations so please make sure that your firewall allows outbound connections to *.afi.ai:443.
The backup agent can also send error reports to Sentry, a SaaS solution used by Afi for application error monitoring. These reports are intended to improve Afi Kubernetes Backup stability and help the Afi R&D team to proactively fix possible issues. Sentry error reports contain only a stack trace with details of the application crash and Afi tenant (cluster) id, they don't expose any sensitive information related to your cluster or infrastructure such as cluster configuration details. Sentry reports are sent to *.ingest.sentry.io:443.