By default the backups are encrypted with a general encryption key defined in
the a9s Backup Manager.
The application developer can customize the backup encryption key for each
service instance in the a9s Service Dashboard. The default minimum length for
the customized encryption key is
- When an application developer changes the custom encryption key again he is no longer able to download backups with the old custom encryption key.
- The encryption key can only be set directly on the a9s Backup Manager config
file or via the a9s Service Dashboard. It is not configurable by ops-file.
backup_manager_encryption_keyfrom the ops-file is only used to encode the database columns.
Set min length for custom encryption key
You can configure a minimum length for the backup encryption keys that developers can configure in the a9s Service Dashboard.
You can use the Ops file
backup-service-min-key-length.yml and dashboard-app-min-key-length
and the variable
custom_encryption_key_min_length to set the minimum length.
You can set the variable either in CredHub or add this value via the
--var custom_encryption_key_min_length=16 flag to the
bosh deploy command.