GPG encryption support in barman-cloud-wal-archive for client-side encryption?
JohnnieB
Hi everyone,
I'm currently using CloudNativePG with the Barman Cloud plugin (v0.5.0) and am interested in implementing client-side encryption for our PostgreSQL backups. I noticed that Barman has GPG encryption support for backups and WAL archiving, which is exactly what we need for regulatory compliance.
However, it appears there's a gap between the server-side Barman tools and the cloud utilities:
- barman backup and barman archive-wal support encryption = gpg (as documented)
- barman-cloud-backup and barman-cloud-wal-archive only support server-side encryption (AES256, aws:kms)
Current situation:
- We're using Hetzner Object Storage, which only supports SSE-C (Server-Side Encryption with Customer-provided keys)
- Hetzner doesn't support AWS-style AES256 server-side encryption that barman-cloud expects
- This leaves us with no encryption option beyond HTTPS transport and Hetzner's infrastructure encryption
What we need: Client-side GPG encryption in the barman-cloud tools would solve this perfectly, as:
- It would work with any S3-compatible storage provider (including Hetzner)
- We'd maintain full control over encryption keys
- It provides true zero-trust backup security
Questions:
- Are there plans to add GPG encryption support to barman-cloud-wal-archive and barman-cloud-backup?
- Is this technically feasible, or are there architectural reasons why cloud tools can't support GPG?
- Is there a timeline or roadmap for this feature?
- Would the community be open to contributions in this area?
Context: Many organizations are moving to cloud-native PostgreSQL deployments (Kubernetes, CloudNativePG) where the barman-cloud tools are preferred over traditional Barman servers. Having GPG encryption in these tools would greatly expand secure backup options for cloud-native deployments.
Any insights or guidance would be much appreciated!
Thanks!