Was this page helpful?
Database-level Encryption¶
Note
Database-level Encryption at Rest is only supported for AWS deployments.
In ScyllaDB Cloud, your data is always encrypted on the storage-level by a cloud provider, such as AWS. In addition, database-level encryption is automatically enabled for all new clusters.
This page describes database-level encryption in ScyllaDB Cloud.
Database-level encryption is a method of encrypting all data before it is stored in the database. In ScyllaDB Cloud, database-level encryption is extended with Customer Managed Keys (CMK) encryption control. This ensures that the data is securely stored – and the customer manages the key. The keys are stored and protected separately from the database, creating separation of privileges.
ScyllaDB Cloud provides full database-level encryption using the Customer Managed Keys (CMK) concept. It is based on envelope encryption to encrypt the data and decrypt only when the data is needed. A key quality of CMK is that the customer has full control of the encryption keys. The data encryption keys (DEK) used to encrypt the data are encrypted with customer keys; if the customer revokes access to them, the data cannot be decrypted until the access is restored.
The customer can:
Revoke data access at any time
Restore data access at any time
Manage the master keys needed for decryption
Log all access attempts to keys and data
Customers can also delegate all key management operations to ScyllaDB Cloud. To do this, choose the ScyllaDB key option when creating a cluster. To do this, the customer can choose the ScyllaDB key option when creating the cluster. To ensure customer data is secure and adheres to all privacy regulations we encrypt the data by default. ScyllaDB CLoud encryption uses the symmetrical algorithm AES-128 by default. You can increase the strength to AES-256.
Encryption
To ensure all user data is protected, ScyllaDB encrypts:
All user tables
Commit logs
Batch logs
Hinted handoff data
This ensures all customer data is properly encrypted.
The first step of the encryption process is to encrypt every record with a data encryption key (DEK). Once the data is encrypted with the DEK, it is sent to AWS KMS, where the master key (MK) resides. The DEK is then encrypted with the master key (MK), producing an encrypted DEK (EDEK or a wrapped key).
The master key remains in the KMS, while the EDEK is returned and stored with the data. The DEK used to encrypt the data is destroyed to ensure data protection. A new DEK will be generated the next time new data needs to be encrypted.
Decryption
Because the original non-encrypted DEK is destroyed when the EDEK was produced, the data cannot be decrypted with it. The DEK it contains has to be decrypted first, and for that, the master key, will be required again.
This can only be decrypted with the master key(MK) in the KMS.
Once the DEK is unwrapped, the data can be decrypted. The data cannot be decrypted without the master key, which is protected at all times in the KMS and cannot be “copied” outside of KMS. By revoking the master key, the customer can disable access to the data independently from the database or application authorization.
Note
AWS KMS will charge you an additional fee for managing your key.
They provide the same level of protection, but our support team helps you manage master keys.
When you create a cluster, the encryption using ScyllaDB keys is applied by default. Note that using ScyllaDB keys does not incur additional costs.
Configuring Database-level Encryption¶
Note
You must have the Admin role to add, use, and delete encryption keys. See User Roles for details.
When you create a new cluster, you can configure which key will be used to encrypt data. Select one of the following in the Database-level Encryption (CMK) section:
ScyllaDB Key (default) - Your cluster data will be encrypted with a key provided by ScyllaDB. No further action is required on your side, as encryption at rest will be managed by ScyllaDB Cloud.
Customer Key - Your cluster data will be encrypted with a key stored in Key Management Service (KMS) on AWS. You need to provide the key you want to use for encryption: select a key from the drop-down (if available) or click Create new key to add a new key to your account.
See Create customer key for instructions on adding your own key to your ScyllaDB Cloud account.
After the cluster is created, you can see the encryption at rest information on the cluster details page is enabled.
Create Customer Key¶
Available with the Premium plan
For the encryption user can use a customer-managed encryption key stored in the user Key Management Service (KMS) on AWS. Customer key is not accessible stored in ScyllaDB Cloud it is used to encrypt the database encryption key(DEK).
To encrypt stored data with your customer encryption key, you need to:
Add reference to your key to your ScyllaDB Cloud account.
Provide the key reference (Customer Key) when creating a new cluster. See Enable Database-level Encryption
Encryption with Multiple Data Centers¶
When you add one or more new DC (data center), your key will be replicated across the DCs you added.
Adding new data centers to the ScyllaDB cluster will create additional local keys in those regions. All customer managed keys support multi-region, and a copy of each key resides locally in each region – ensuring those multi-regional setups are protected from regional outages for the cloud provider or against any disaster.
The keys are available in the same region as the data center and can be controlled independently.
Add Your Key to ScyllaDB Cloud¶
To add your CMK to ScyllaDB Cloud:
Go to Managed Resources via the drop-down in the top right corner, next to your username.
Open the Customer Managed Key tab.
Click Add Key to open the Add Key pop-up.
Ensure the Provider drop-down shows AWS Amazon Web Services.
Select the region where you want the key will be valid using the Region drop-down (the default is US East (N. Virginia)).
Click Set Key to store the key entry in ScyllaDB Cloud and display the summary pop-up.
Note that the key is not ready for use yet. You need to proceed to provision the key in AWS.
Click Launch Stack in the summary pop-up to open the (AWS) CloudFormation Stack in a new tab to provision your key in AWS KMS store.
Once created, you can go back to the ScyllaDB Cloud to click I’m done provisioning in the pop-up.
You can provide the new encryption key when creating a cluster in the selected region. Once you complete the cluster deployment, the encryption at rest icon will be enabled in your cluster status.
Reviewing and Managing Your Keys¶
You can review the list of your customer keys that you added to ScyllaDB Cloud on the Security page. The Customer Managed Key section will show the following information:
Key Alias - The key alias you provided in the Cloudformation Stack. If not provided, the key ID will be displayed.
Provider - Your cloud provider name.
Region - The regions where the key is valid.
Date Added - The date when the key entry was added to ScyllaDB Cloud.
Status - The status of the key in ScyllaDB Cloud:
Available - The key is added to ScyllaDB Cloud and provisioned in AWS. You can use it when creating a new cluster.
Pending Action - The key has not been provisioned or deleted in the cloud provider’s stack.
Pending provision - The key was added to ScyllaDB Cloud, but it was not provisioned in AWS. You can click the Launch Stack link next to the status to open the Cloudformation Stack and provision the key.
Pending deletion - The key was decommissioned and then deleted in Scylla Cloud, but not in AWS. You can click the Delete Stack link next to the status to open the Cloudformation Stack and delete the key.
In Use - The key is in use by an existing cluster. You can click the Cluster Name link next to the status to view the information about the cluster.
Decommissioned - The key was used on a cluster that was deleted (the key cannot be reused).
You can use the trash icon to delete any key that is not in use.