How can I enable the AWS KMS key for my Amazon S3 bucket in CubeBackup?

By default, all of your Google Workspace backups will be encrypted in CubeBackup as long as you leave the Encrypt backups option checked during the initial configuration. This CubeBackup-server built-in encryption ensures that even if an intruder were to gain physical access to your backup repository, they would be unable to access the files without the matching key. See How is the data encrypted in CubeBackup?

However, you may wish to add additional layer of security and protection for your data using Amazon S3 bucket keys, which are created and controlled by AWS Key Management Services to encrypt your S3 data on the AWS server side.

Tip: For information about how SSE-KMS works in AWS, see Protecting data using server-side encryption with AWS Key Management Service (SSE-KMS).

CubeBackup can interact with AWS to allow you to request server-side encryption for your backups uploaded to the target S3 bucket. You can configure the KMS key for your backup repository on Amazon S3 by following the step-by-step instructions below.

Upload KMS key in the initial setup

  1. Add ?show-kms=1 to the end of your current URL for the setup wizard and refresh the page.

    For example, or

  2. Click Next to configure your storage information in Step 2.

  3. Select S3 as the storage type, enter the KMS key ID as well as other required credentials and click Next.

  4. CubeBackup will run a storage writing test to verify the KMS key and other credentials before proceeding. If everything goes well, complete the initial setup following the instructions here.

Update the existing S3 bucket property

  1. On the OVERVIEW page of the CubeBackup web console, find the Storage status section in the bottom right, and click the gear icon to open the update wizard. Press the Edit storage configuration button.

  2. As a safety precaution, an authentication code will be emailed to you. Please type in the code to continue.

  3. Add ?show-kms=1 to the end of your current URL and refresh the page.

    For example, or

  4. The KMS key ID field will now be displayed in the properties list. Enter your KMS key ID and click the Save button. CubeBackup will run a storage writing test to confirm that the KMS key is working.

  5. Return to Dashboard. You may now initiate a backup to confirm that the AWS KMS key is operating without error.