Encryption at Rest
Attention
This page documents an earlier version. Go to the latest (v2.3) version.This page describes how to enable and disable encryption at rest in a YugabyteDB cluster with a user generated key.
Enabling encryption
Step 1. Create encryption key
First, we will generate the universe key data. This data can have length 32, 40, or 48. Larger keys are slightly more secure with slightly worse performance. Run the following on your local filesystem.
$ openssl rand -out universe_key [ 32 | 40 | 48 ]
Step 2. Copy key to master nodes
In this example, we assume a 3 node RF=3 cluster with addresses ip1, ip2, ip3. Copy the universe key onto each master filesystem, in the same location on every node.
$ for ip in ip1 ip2 ip3
do
scp -i <ssh_key> -P 54422 universe_key ip:/mnt/d0/yb-data/master
done
Note
The key can live in any subdir of the master dir, as long as it lives in the same place on each node. In addition, the data dir may vary depending on how the cluster is created.Step 3. Enable cluster-wide encryption
Use yb-admin to tell the cluster about the new universe key.
$ yb-admin -master_addresses ip1:7100,ip2:7100,ip3:7100 rotate_universe_key
/mnt/d0/yb-data/master/universe_key
Note
Because data is encrypted in the background as part of flushes to disk and compactions, only new data will be encrypted. Therefore, the call should return quickly.Step 4. Verify encryption enabled
To check the encryption status of the cluster, run the following yb-admin command.
$ yb-admin -master_addresses ip1:7100,ip2:7100,ip3:7100 is_encryption_enabled
Encryption status: ENABLED with key id <key_id>
Rotating a new key
Step 1. Creating a new key
First we create the key to be rotated.
$ openssl rand -out universe_key_2 [ 32 | 40 | 48 ]
Note
The new key name must be distinct from the previous key name.Step 2. Copy new key to master nodes
As with enabling, copy the universe key onto each master filesystem, in the same location on every node.
$ for ip in ip1 ip2 ip3
do
scp -i <ssh_key> -P 54422 universe_key ip:/mnt/d0/yb-data/master/
done
Step 3. Rotate key
Use yb-admin to tell the cluster about the new universe key.
$ yb-admin -master_addresses ip1:7100,ip2:7100,ip3:7100 rotate_universe_key
/mnt/d0/yb-data/master/universe_key_2
Step 4. Verify new key
Check that the new key is encrypting the cluster.
$ yb-admin -master_addresses ip1:7100,ip2:7100,ip3:7100 is_encryption_enabled
Encryption status: ENABLED with key id <key_id_2>
<key_id_2> should be different from the previous <key_id>.
Disable encryption
Step 1. Disable cluster-wide encryption
Use yb-admin to disable encryption.
$ yb-admin -master_addresses ip1:7100,ip2:7100,ip3:7100 disable_encryption
Step 2. Verify encryption disabled
Check that encryption is disabled.
$ yb-admin -master_addresses ip1:7100,ip2:7100,ip3:7100 is_encryption_enabled
Encryption status: DISABLED