Custom Encryption Key

By default the backups are encrypted with a general encryption key defined in the a9s Backup Manager. The application developer can customize the backup encryption key for each service instance in the a9s Service Dashboard. The default minimum length for the customized encryption key is 8.


  • When an application developer changes the custom encryption key again he is no longer able to download backups with the old custom encryption key.
  • The encryption key can only be set directly on the a9s Backup Manager config file or via the a9s Service Dashboard. It is not configurable by ops-file. The backup_manager_encryption_key from the ops-file is only used to encode the database columns.

Set min length for custom encryption key

You can configure a minimum length for the backup encryption keys that developers can configure in the a9s Service Dashboard.


You can use the Ops file backup-service-min-key-length.yml and dashboard-app-min-key-length and the variable custom_encryption_key_min_length to set the minimum length. You can set the variable either in CredHub or add this value via the --var custom_encryption_key_min_length=16 flag to the bosh deploy command.