Feature Proposal: KMS Support for Encrypted Backups

Proposal

GitLab Premium self-managed customer with 1400 users interested in a feature.

• Link to request: Provided via email: Customer would like to use KMS for encrypted backups and there is currently no support for this in GitLab
• Link to Related MR: !64765 (merged) || !64765 (diffs)
• Why interested: Why is this important to you?

Company policy mandates use of SSE-KMS encryption based on application and data classification. GitLab and it’s data falls under the defined policy for SSE-KMS encryption.

We currently have backup scripts that generates backups and then copies data to S3 using appropriate key. Having the ability to do this with one command would simply be a convince.

• Current solution for this problem: As for artifacts, it currently takes ~ 90 minutes to accomplish a full backup including artifacts using the backup command. It also requires approximately double the disk space to successfully complete a full backup. The ability to store artifacts in S3 while meeting the SSE-KMS mandate would greatly reduce the amount of time required for full backups, as we would could eliminate the need to backup artifacts and would depend on the S3 availability and resiliency standards to ensure data integrity.

• Impact to the customer of not having this: As for impact, due to the impact on performance (doing a full backup impacts the GitLab UI experience with users experiencing intermittent timeouts) we infrequently do a full backup, risking the potential loss of artifacts in case of catastrophic disk failure.

• PM to mention: @stanhu @abellucci