Backup to RA, Archive-to-Cloud Storage Flow

On the left are icons representing on-premise databases. In the middle is the Recovery Appliance. Below the Recovery Appliance is the OKV server. To the right are icons representing storage in the cloud and then archive storage.

Step 1 is an arrow from the databases. Step 2 is an arrow from the Recovery Appliance to the OKV server, while step 3 is an arrow back from OKV server to the Recovery Appliance. Step 4 is an arrow from the Recovery Appliance to storage repository in the cloud, but the arrow has a lock on it to indicate encryption. Step 5 is an arrow from cloud storage to archive storage.

1. A backup of the database (as incrementals) is performed regularly to the Recovery Appliance.

2. The Recovery Appliance requests a client master key from the OKV Server.

3. The OKV returns the client's master key. If one doesn't exist for the client, a new master key is generated. (A new master key can be generated whenever desired.)

   1. A DEK is generated for the backup object(s).

   2. The backup objects are encrypted using the DEK.

   3. Using the master key, the Recovery Appliance encrypts the DEK and stores this with the backup object.

4. The protection policy for a given database determines if and when its backup objects are written to tape or cloud storage.

5. The tiering policy of the object storage container determines if and when a backup object in cloud storage moves from object storage to archive storage. The Recovery Appliance does not control this.