KMS vs Password


I have 4 buckets (for 4 different servers) on AWS S3, since long time.

So far, they all had the same password, but I’m in the process of making each of them have their own password.

I’m using “restic key passwd” to change them.

I’m just confused, however…
What is actually used to encrypt the backups? Is it the ‘password’, or the key in KMS?
Is the password only used to login to the restic repo, or is it used to encrypt too?

I’m not even sure anymore how I created the KMS key.

If I simply change the password (“restic key passwd”), and someone gets access to the AWS S3 bucket and the KMS, will they be able to decrypt the backup, or do they need the password too?

If the KMS key is what encrypts the buckets, how do I change/create different KMS keys for each bucket?

(although, if the key is at the same location as the backup, I don’t really consider this secure… would make more sense that the password is what encrypts the backup)

I’m not finding any restic documentation that mentions KMS!

I just don’t want a situation where someone hacking one server will have enough to be able to get the data of the other servers/backups.

Thank you very much.

The point that you missed is that there can be several rounds of encryption on top of each other, on your side and on AWS side.

With a restic password, data is encrypted in your side. AWS server side encryption is then redundant. You can nevertheless check Encrypt box in S3. Data will be encrypted one more time. The key for S3 encryption could be in KMS or less secure places. If you choose KMS, the key is held in a different special place and you can monitor its usage. For KMS part, you don’t need to change any password: AWS manages it for you. It uses a new key for each piece of data, all unlocked by KMS key.

Simply selecting regular Encrypt in S3 (without KMS) will prevent the situation you described: someone taking the hard drive and accessing your data. With KMS, the ability of AWS staff itself will also be severely restricted. I personally won’t worry with S3 even unencrypted: it’s heavily secured physically.

Note however that aws has access to server side keys. This is where Restic helps, in case government requests your data from AWS.

So, go ahead and change Restic password, on top of KMS.

1 Like

One thing I would add: I am not sure if restic directly supports S3 SSE, for example with KMS.

But rclone does and perhaps you could use that backend and report back.

As far as I know Restic cannot use KMS directly. KMS uses envelope encryption with master and data keys, whereas Restic uses a password, they’re not directly comparable.

What Eli6 says is correct. Use Restic encryption, then AWS S3 encryption is optional. Encryption in S3 is largely a compliance measure, since physical access is near impossible, drives are destroyed end of life, and if any AWS person wants to get access to the object they can probably get access to KMS to decrypt the object anyway. We always encrypt S3 objects with KMS CMK for corporate work, including custom key policies, but I don’t usually bother for my personal data on S3. However, given how easy it is and how little costs, it doesn’t hurt to enable encryption.

Thanks guys. But I’m not sure (can’t remember) how the KMS entry was created, or if it’s even being used at the moment.

Did Restic create it? (it’s been a few years since I use Restic)
If I have 4 servers (= 4 buckets), is Restic reusing the same KMS key?

When I changed the passwords for the 4 buckets, it was a really quick transaction - just a few seconds.
If it was the password that was encrypting the files, then it would definitely take much longer than that, as I have a lot of data there (and the backups take hours to complete)

So… where’s the key that encrypts the files?

Maybe this is the answer to me.

I don’t see any Restic documentation about KMS, so I wonder if I created it, probably used at the time, but no longer being used.
(the description of the key is “Encrypt Restic S3 Bucket Objects”)

Ok… I disabled the key, and I can still mount. (I assume backups will work too)

So, KMS isn’t being used :smiley:

My question then remains – where’s the key that encrypts the files?
Is it the password that we use to connect to it?
Is it on the bucket itself?
Stored somewhere on the server?

Restic doesn’t seem to direct use any features of any storage / encryption system such as AWS KMS. I think it’s a design philosophy that keeps it open.

Encryption is based on a password you set. In my scripts that run Restic I use something like this

set RESTIC_PASSWORD=PasswordGoesHere

The application encrypts your data base on the password you set. The encrypted files are then saved wherever you like.

I’m not sure I’m understanding your question. This is the basics of how restic works, so I think I’m missing something. Have you read the documentation? Restic Documentation — restic 0.12.1 documentation

1 Like

Thank you for clarifying. And yeah, I set the same env variable.

Very strange/impressive to me, then, that when I changed the password, it was able to re-encrypt 2TB of data in just a few seconds…

I probably read it (or used some tutorial), years ago, when I first set Restic up.
Recently, I was just trying to find anything about KMS there, and found the way to change the password (“restic key passwd”)

Your restic password actually encrypts a key file. That key (in the key file) is then used to encrypt the actual data. Hence, when changing your restic password, only that key file is reencrypted, the data encryption key doesn’t change and hence the data on disk don’t change (don’t need to be reencrypted).


Aahh - that makes total sense!
Thank you very much for clearing that up :partying_face::+1:
Have a great day, all.