Chapter 2:

Technical Implementation of Sovereign Recovery

Sovereignty is only proven when a restoration can be completed independently of the primary provider's control plane.

A. Customer-Managed Encryption Boundaries

  • HYOK Integration: Ensure backups are encrypted using Hold Your Own Key (HYOK) architectures where the key management system is external to the cloud provider.
  • Decryption Isolation: Restoration procedures must allow for decryption to occur within the customer's controlled environment, preventing the cloud provider from accessing the key memory.
  • The Percona Advantage: Percona allows organizations to define cryptographic boundaries by supporting external key management systems (EKMS), ensuring encryption is a customer-controlled function.

B. Validating Restoration in Isolation

  • Neutral Environment Testing: Regularly test backup restoration in alternate environments to validate that the organization holds the format, storage location, and recovery procedures required for continuity.
  • Independent Orchestration: Execute recovery using portable automation, such as Kubernetes Operators, that runs on customer-controlled infrastructure.
  • The Percona Advantage: Percona Operators provide declarative, automated lifecycle management, including backups and restores, using open-source code that operates independently of cloud vendor systems.
Percona Sovereignty Resource Center
Speak to an expert