Was this page helpful?
Note
Database-level Encryption at Rest is only supported for AWS deployments.
Encryption at rest helps to protect data stored on persistent storage or backup. It renders stored data (at rest) unreadable unless a secret encryption key is provided.
In ScyllaDB Cloud, your data is always encrypted on the storage level by a cloud provider, such as AWS. To add another layer of security, we recommend enabling encryption at rest at the database (DB) level.
This page describes how to enable encryption at rest (DB level) in ScyllaDB Cloud.
Note
You must have the Admin role to enable database-level encryption or add, use, and delete encryption keys. See User Roles for details.
You can enable database-level encryption when creating a new cluster:
Enable the Encryption at Rest (DB Level Encryption) checkbox on the New Cluster page when creating your cluster.
Select one of the following:
ScyllaDB Key - Your cluster data will be encrypted with a key provided by ScyllaDB. No further action is required on your side, as encryption at rest will be managed by ScyllaDB Cloud.
Customer Key - Your cluster data will be encrypted with a key stored in Key Management Service (KMS) on AWS. You need to provide the key you want to use for encryption: select a key from the drop-down (if available) or click Create new key to add a new key to your account.
See Bring Your Own Key for instructions on adding your own key to your ScyllaDB Cloud account.
After the cluster is provisioned, you can view the encryption at rest information on the cluster details page.
Note
You cannot enable database-level encryption in existing clusters.
Once you enable database-level encryption when creating a cluster, you cannot disable it.
Available with the Premium plan
You can use a customer-managed encryption key stored in Key Management Service (KMS) on AWS to safeguard data at rest at the DB level. In ScyllaDB Cloud, your customer key is not accessible to ScyllaDB Cloud.
To encrypt stored data with your customer encryption key, you need to:
Add the key to your ScyllaDB Cloud account.
Provide the key (Customer Key) when creating a new cluster. See Enable Database-level Encryption.
When you add one or more new DC (datacenter), your key will be replicated across the DCs you added.
To add your own encryption key to ScyllaDB Cloud:
Go to Security via the drop-down in the top right corner, next to your username.
In the Bring Your Own Key section, click Add Key to open the Add Key pop-up.
Ensure the Provider drop-down shows AWS Amazon Web Services.
Select the region where you want the key will be valid using the Region drop-down (the default is US East (N. Virginia)).
Click Set Key to store the key entry in ScyllaDB Cloud and display the summary pop-up.
Note that the key is not ready for use yet. You need to proceed to provision the key in AWS.
Click Launch Stack in the summary pop-up to open the (AWS) CloudFormation Stack in a new tab to provision your key in AWS KMS store.
Once created, you can go back to the ScyllaDB Cloud to click I’m done provisioning in the pop-up.
You can provide the new encryption key when creating a cluster in the selected region. Once you complete the cluster deployment, the encryption at rest icon will be enabled in your cluster status.
You can review the list of your customer keys that you added to ScyllaDB Cloud on the Security page. The Bring your own key section will show the following information:
Key Alias - The key alias you provided in the Cloudformation Stack. If not provided, the key ID will be displayed.
Provider - Your cloud provider name.
Region - The regions where the key is valid.
Date Added - The date when the key entry was added to ScyllaDB Cloud.
Status - The status of the key in ScyllaDB Cloud:
Available - The key is added to ScyllaDB Cloud and provisioned in AWS. You can use it when creating a new cluster.
Pending Action - The key has not been provisioned or deleted in the cloud provider’s stack.
Pending provision - The key was added to ScyllaDB Cloud, but it was not provisioned in AWS. You can click the Launch Stack link next to the status to open the Cloudformation Stack and provision the key.
Pending deletion - The key was decommissioned and then deleted in Scylla Cloud, but not in AWS. You can click the Delete Stack link next to the status to open the Cloudformation Stack and delete the key.
In Use - The key is in use by an existing cluster. You can click the Cluster Name link next to the status to view the information about the cluster.
Decommissioned - The key was used on a cluster that was deleted (the key cannot be reused).
You can use the trash icon to delete any key that is not in use.
Was this page helpful?