Encryption at rest EARLY ACCESS

Encrypt your YugabyteDB cluster

For added security, you can encrypt your clusters (including backups) using a customer managed key (CMK) residing in a cloud provider Key Management Service (KMS). You grant YugabyteDB Managed access to the key with the requisite permissions to perform cryptographic operations using the key to secure the databases in your clusters.

You can enable YugabyteDB EAR for a cluster as follows:

  • On the Security page of the Create Cluster wizard when you create your cluster.
  • On the cluster Settings tab under Encryption at rest (database version 2.16.7 and later only).

Note that, regardless of whether you enable YugabyteDB EAR for a cluster, YugabyteDB Managed uses volume encryption for all data at rest, including your account data, your clusters, and their backups. Data is AES-256 encrypted using native cloud provider technologies - S3 and EBS volume encryption for AWS, Azure disk encryption, and server-side and persistent disk encryption for GCP. Volume encryption keys are managed by the cloud provider and anchored by hardware security appliances.

Limitations

  • You can't enable cluster EAR on clusters with YugabyteDB versions earlier than 2.16.7.
  • Currently, Azure is not supported for CMKs.

Enabling EAR can impact cluster performance. You should monitor your workload after enabling this feature.

Prerequisites

  • Single-region symmetric encryption key created in AWS KMS. The key resource policy should include the following actions:
    • kms:Encrypt
    • kms:Decrypt
    • kms:GenerateDataKeyWithoutPlaintext
    • kms:DescribeKey
    • kms:ListAliases
  • Amazon Resource Name (ARN) of the CMK. For more information, refer to Amazon Resource Names in the AWS documentation.
  • An access key for an IAM identity with permission to encrypt and decrypt using the CMK. An access key consists of an access key ID and the secret access key. For more information, refer to Managing access keys for IAM users in the AWS documentation.

For more information on AWS KMS, refer to AWS Key Management Service in the AWS documentation.

  • CMK (AKA customer-managed encryption key or CMEK) created in Cloud KMS.
  • Cloud KMS resource ID. You can copy the resource ID from KMS Management page in the Google Cloud console. Do not include the key version. For more information, refer to Getting a Cloud KMS resource ID in the GCP documentation.
  • A service account that has been granted the following permissions on the CMK:
    • cloudkms.keyRings.get
    • cloudkms.cryptoKeys.get
    • cloudkms.cryptoKeyVersions.useToEncrypt
    • cloudkms.cryptoKeyVersions.useToDecrypt
    • cloudkms.locations.generateRandomBytes
  • Service account credentials. These credentials are used to authorize your use of the CMK. This is the key file (JSON) that you downloaded when creating credentials for the service account. For more information, refer to Create credentials for a service account in the GCP documentation.

For more information on GCP KMS, refer to Cloud Key Management Service overview in the GCP documentation.

Encrypt a cluster using a CMK

You can enable EAR using a CMK for clusters in AWS and GCP (database version 2.16.7 and later only) as follows:

  1. On the cluster Settings tab, select Encryption at rest.

  2. Click Enable Cluster Encryption at Rest.

  3. For AWS, provide the following details:

    • Customer managed key (CMK): Enter the Amazon Resource Name (ARN) of the CMK to use to encrypt the cluster.
    • Access key: Provide an access key of an IAM identity with permissions for the CMK. An access key consists of an access key ID and the secret access key.

    For GCP:

    • Resource ID: Enter the resource ID of the key ring where the CMK is stored.
    • Service Account Credentials: Click Add Key to select the credentials JSON file you downloaded when creating credentials for the service account that has permissions to encrypt and decrypt using the CMK.

  4. Click Save.

YugabyteDB Managed validates the key and, if successful, starts encrypting the data. Only new data is encrypted with the new key. Old data remains unencrypted until compaction churn triggers a re-encryption with the new key.

To disable cluster EAR, click Disable Encryption at Rest. YugabyteDB Managed uses lazy decryption to decrypt the cluster.

Rotate your CMK

Deleting your CMK

If you delete a CMK, you will no longer be able to decrypt clusters encrypted using the key. Before deleting a CMK, make sure that you no longer need it. Retain all CMKs used to encrypt data in backups and snapshots.

To rotate the CMK used for EAR, do the following:

  1. On the cluster Settings tab, select Encryption at rest.

  2. Click Edit CMK Configuration.

  3. For AWS, provide the following details:

    • Customer managed key (CMK): Enter the Amazon Resource Name (ARN) of the new CMK to use to encrypt the cluster.
    • Access key: Provide an access key of an IAM identity with permissions for the CMK. An access key consists of an access key ID and the secret access key.

    For GCP:

    • Resource ID: Enter the resource ID of the key ring where the new CMK is stored.
    • Service Account Credentials: Click Add Key to select the credentials JSON file you downloaded when creating credentials for the service account that has permissions to encrypt and decrypt using the CMK.

  4. Click Save.

YugabyteDB Managed uses lazy decryption and encryption to encrypt the cluster using the new key.