Enterprise Overview
OSO Kafka Backup Enterprise extends the open-source core with features for organizations with advanced security, compliance, and operational requirements. The enterprise binary is a drop-in replacement for the OSS version — it includes all open-source functionality plus enterprise features gated by a license file at runtime.
Install the enterprise binary and get a 14-day free trial with no signup required. See the Enterprise Installation Guide for Homebrew, Docker, and binary download instructions.
Enterprise vs. Open Source
| Feature | Open Source | Enterprise |
|---|---|---|
| Core backup/restore | Yes | Yes |
| All storage backends (S3, Azure, GCS, filesystem) | Yes | Yes |
| Point-in-time recovery (PITR) | Yes | Yes |
| Compression (Zstd, LZ4) | Yes | Yes |
| Kafka SASL/TLS authentication | Yes | Yes |
| Consumer offset management | Yes | Yes |
| Three-phase restore | Yes | Yes |
| Confluent Schema Registry backup/restore | - | Yes |
| Apicurio Registry v3 backup/restore | - | Yes |
| Confluent RBAC backup/restore (MDS) | - | Yes |
| MSK ZooKeeper to KRaft migration | - | Yes |
| Field-level encryption (CSFLE/DEK) | - | Yes |
| Data masking | - | Planned |
| Audit logging | - | Planned |
| WebAssembly plugins | - | Planned |
| Priority support | Community | 24/7 SLA |
Implemented Enterprise Features
MSK ZooKeeper to KRaft Migration
Migrate AWS MSK clusters from ZooKeeper mode to KRaft mode with a short coordinated producer freeze. The tool handles the entire lifecycle — topic replication through S3, ACL migration with drift handling, consumer group offset translation for message continuity, and a cryptographically signed evidence bundle that proves the migration succeeded.
- Journaled migration pipeline: plan → precheck → execute → cutover → finalize
- Offset continuity — consumers resume from translated target offsets
- Cross-auth implementation (SCRAM → IAM, mTLS → IAM, etc.; rehearse IAM paths in staging)
- ACL migration with merge/replace/refuse drift policies
- 5-check automated validation (topic parity, record counts plus offset-floor guard, spot-check, sentinels, consumer groups)
- Ed25519-signed evidence bundle for compliance and audit
- Rollback capability (pre-cutover) and resume after failure
planandprecheckare free — no license needed
Learn more about MSK KRaft Migration
Confluent Schema Registry Backup & Restore
Back up and restore Confluent Schema Registry schemas alongside your Kafka data. Without schema backup, restored messages become unreadable — consumers fail with Schema ID not found errors.
- Back up all subjects, versions, and compatibility settings via the REST API
- Support for Avro, JSON Schema, and Protobuf
- Glob-based subject filtering (include/exclude patterns)
- Reference dependency resolution (topological sort)
- Schema-only backup mode (
--schema-only) - Restore strategies: preserve, overwrite, skip
- Schema ID rewriting for cross-environment migration
Learn more about Schema Registry
Apicurio Registry v3 Backup & Restore
Back up Apicurio Registry — the open-source, Apache 2.0-licensed schema and API registry. Supports all 9 Apicurio artifact types and captures the complete registry state for disaster recovery.
- Full Core Registry API v3 client (Groups, Artifacts, Versions, Admin Export/Import)
- Native export ZIP capture (
/admin/export) as primary backup artifact - Artefact-by-artefact structured backup alongside the ZIP
- All 9 artifact types: Avro, Protobuf, JSON Schema, OpenAPI, AsyncAPI, GraphQL, KCONNECT, WSDL, XSD
- Rules backup at 3 scopes: global, group, and artifact (COMPATIBILITY, VALIDITY, INTEGRITY)
- Group and artifact glob filtering (include/exclude patterns)
- Cross-artifact reference resolution (topological sort)
- OIDC/Keycloak, mTLS, and Basic authentication
- Both Confluent SR and Apicurio can be configured simultaneously
Confluent RBAC Backup (MDS)
Back up Confluent Platform RBAC role bindings from the Metadata Service (MDS). After a DR event, RBAC bindings must be manually recreated — turning a 30-minute data restore into a multi-day exercise. This feature captures the complete security posture as a snapshot.
- Full enumeration of all role bindings across all cluster scopes
- Covers Kafka, Connect, Schema Registry, ksqlDB, and Flink scopes
- 5-tier restore ordering (Bootstrap, Component, Admin, Owner, Developer)
- Bearer token authentication with auto-refresh
- Rate-limited MDS API calls (12 RPS default, respecting the 15 RPS limit)
- Principal filtering with glob patterns
Learn more about Confluent RBAC Backup
Field-Level Encryption Backup
Back up encryption metadata from Confluent's Client-Side Field-Level Encryption (CSFLE) system, including Key Encryption Keys (KEKs) and Data Encryption Keys (DEKs) from the DEK Registry.
- KEK and DEK inventory capture
- Encrypted subject detection
- Works alongside Schema Registry backup (DEK Registry is a sub-API of SR)
Licensing
Enterprise features are gated by Ed25519-signed license files that are validated offline — no network calls, no license server. A 14-day free trial activates automatically on first run — no signup required. Licenses encode customer information, feature flags, cluster limits, and expiry dates.
How It Works
The enterprise binary is a drop-in replacement for the OSS binary. When you add an enterprise: section to your config YAML, the corresponding enterprise features activate — provided a valid license is present.
# Standard OSS config at root level (unchanged)
mode: backup
backup_id: daily-2026-04-06
source:
bootstrap_servers: ["kafka:9092"]
storage:
backend: s3
bucket: kafka-backups
# Enterprise features are optional — add only what you need
enterprise:
schema_registry:
url: "https://schema-registry:8081"
auth:
type: basic
username: ${SR_USERNAME}
password: ${SR_PASSWORD}
apicurio_registry:
url: "https://apicurio:8080"
auth:
type: oidc
token_url: https://keycloak:8443/realms/registry/protocol/openid-connect/token
client_id: ${APICURIO_CLIENT_ID}
client_secret: ${APICURIO_CLIENT_SECRET}
confluent_rbac:
mds_url: "https://mds:8090"
auth:
username: ${MDS_USERNAME}
password: ${MDS_PASSWORD}
msk_kraft_migration:
source:
cluster_arn: arn:aws:kafka:us-east-1:123456789012:cluster/prod-zk/abc-123
auth: { mode: iam }
target:
cluster_arn: arn:aws:kafka:us-east-1:123456789012:cluster/prod-kraft/def-456
auth: { mode: iam }
backup:
s3_bucket: migration-segments
s3_prefix: replay/
evidence:
s3_bucket: migration-evidence
s3_prefix: migrations/
If no enterprise: section is present, the binary operates identically to the OSS version. If enterprise features are configured but no license is found, the tool logs a warning and continues without the enterprise features — it never blocks your backup.
Getting Started
- Install the enterprise binary (Homebrew, Docker, or binary download)
- Run — the 14-day free trial activates automatically, no signup needed
- Add the
enterprise:section to your config - After the trial, buy a license or request a 30-day extended trial
- Apply the license:
kafka-backup license apply --file license.lic