GetEncryptedDataKeyByKMSMasterKeyID constructs a mapping {MasterKeyID : EncryptedDataKey} for each KMS URI provided during a full BACKUP.

GetEncryptedDataKeyFromURI returns the encrypted data key from the KMS specified by kmsURI.

GetEncryptionFromBase retrieves the encryption options of the base backup.

GetEncryptionInfoFiles reads the ENCRYPTION-INFO files from external storage.

GetEncryptionKey returns the decrypted plaintext data key to be used for encryption.

MakeBackupKMSEnv returns an instance of `BackupKMSEnv` that defines the environment in which KMS is configured and used.

MakeNewEncryptionOptions returns a new jobspb.BackupEncryptionOptions based on the passed in encryption parameters.

NewEncryptedDataKeyMap returns a new EncryptedDataKeyMap.

NewEncryptedDataKeyMapFromProtoMap constructs an EncryptedDataKeyMap from the passed in protoDataKeyMap.

ReadEncryptionOptions takes in a backup location and tries to find and return all encryption option files in the backup.

ValidateKMSURIsAgainstFullBackup ensures that the KMS URIs provided to an incremental BACKUP are a subset of those used during the full BACKUP.

WriteEncryptionInfoIfNotExists writes EncryptionInfo to external storage.

WriteNewEncryptionInfoToBackup writes a versioned ENCRYPTION-INFO file to external storage.

BackupOptEncKMS is the option name in a BACKUP statement to specify a KMS URI for encryption.

BackupOptEncPassphrase is the option name in a BACKUP statement to specify a passphrase for encryption.

ErrEncryptionInfoRead is a special error returned when the ENCRYPTION-INFO file is not found.

BackupKMSEnv is the environment in which a backup with KMS is configured and used.