S3 Resilience & Backups
The FigChain S3 Resilience layer guarantees uninterrupted service and complete data sovereignty for your mission-critical configurations, even during network outages. It is a Zero-Trust solution, meaning FigChain cannot access or decrypt your configuration data, ever.
Core Guarantees
| Guarantee | Description | Benefit to your team |
|---|---|---|
| Zero Trust Encryption | All configuration backups are encrypted client-side using a key pair only you possess. FigChain stores the encrypted data in your S3 bucket, but has no access to your decryption key. | Eliminates the risk of vendor insider threats and external data compromise. FigChain cannot read your sensitive configuration data. |
| High Availability (HA) | Client applications can instantly and automatically failover to a highly available Blob Storage mirror (e.g., S3). | Ensures client pod restarts and application reloads never fail due to a network outage on the internet or FigChain's infrastructure. |
| Hybrid Bootstrapping | Clients can seamlessly combine data from the secure Blob Store and the live FigChain API without manual intervention. | Guarantees the fastest possible recovery with the freshest data, minimizing operational disruption. |
Zero-Trust Security: How It Works
The S3 Resilience layer uses Asymmetric Envelope Encryption to ensure that your data remains private and secure in the cloud.
- Key Generation: Your client application generates a unique Asymmetric Key Pair (Public Key and Private Key).
- Server Action (The Envelope): When a backup is triggered, the FigChain service uses a fast, temporary key to encrypt the large configuration payload. It then encrypts the temporary key itself using your Public Key (creating the "envelope").
- Storage: FigChain stores the encrypted payload and the encrypted temporary key (the envelope) in the Blob Store. FigChain does not possess your Private Key.
- Client Decryption: When your client needs the backup, it downloads the data and performs two sequential steps using its local Private Key to decrypt the temporary key, and then use that temporary key to decrypt the large payload.
The result: The decrypted backup data never leaves your environment. Due to the design of the encryption scheme, it is never possible for FigChain to decrypt your data.
When it is necessary
Normally, your client application will not need to access the S3 Backups. It will automatically use the FigChain API to retrieve the latest configuration data once during bootstrap, and then it will listen for changes in real-time using server push notifications.
The S3 Resilience layer becomes critical when your client application is unable to reach the FigChain API, for example when it is offline or when there is a network outage. By strategically storing your configuration data in a bucket that is located in the same region as your client application, you can ensure that your client application can always successfully bootstrap. As soon as the transient issue is resolved, your client application will resume normal operation using the FigChain API.
Your application can also be configured to prefer bootstrapping from the S3 Backup (server-first vs hybrid vs backup modes), which should improve the bootstrap latency due to the data being closest to the client application.
The configuration keys for this feature use the backup_ prefix (e.g., backup_bucket, backup_enabled). When configuring your client, please refer to the "S3 Resilience (Backups)" section in the configuration guide.