Encryption at rest
Data at rest in a YugabyteDB universe should be protected from unauthorized users by encrypting it. You do this by enabling encryption at rest. When enabled, the data in your universe is secured using envelope encryption, whereby multiple encryption keys are used to encrypt data, and those keys are in turn encrypted by other keys in a key hierarchy.
YugabyteDB Anywhere uses the following types of keys for envelope encryption:
Key | Description |
---|---|
Data encryption keys (DEK) | Symmetric keys used to directly encrypt the data. Each file flushed from memory has a unique DEK. This key is generated in the database layer of YugabyteDB. |
Universe key | Symmetric key used to encrypt and decrypt DEKs. A single universe key is used for all the DEKs in a universe. This key is generated by YugabyteDB Anywhere. |
Master key | The key at the highest level in the key hierarchy. The master key is used to encrypt universe keys. This key is a customer managed key (CMK) stored and managed in a Key Management Service (KMS). |
Master key details are stored in YugabyteDB Anywhere in KMS configurations, and YugabyteDB Anywhere supports CMKs in AWS KMS, GCP KMS, Azure Key Vault, and Hashicorp Vault. You enable encryption at rest for a universe by assigning the universe a KMS configuration. For instructions on creating a KMS configuration, see Create a KMS configuration.
For more information on the features, assumptions, design, data key management, universe keys, key rotations, master failures, and adding a node, see Encryption at rest in YugabyteDB.
Manage universe encryption at rest
You can enable encryption at rest when creating a universe, and enable and disable encryption at rest on existing universes.
Enable encryption at rest during universe creation
You enable encryption at rest during universe creation as follows:
- Navigate to Universes and click Create Universe to open the Create Universe page.
- Under Security Configurations > Encryption Settings, select the Enable Encryption at Rest option to display the Key Management Service Config option.
- Select your KMS configuration from the Key Management Service Config list. The list displays only preconfigured KMS configurations. If you need to create one, see Create a KMS configuration.
- Continue with your universe creation, then click Create.
Enable encryption at rest on an existing universe
You enable encryption at rest on an existing universe as follows:
-
Navigate to your universe, click Actions, and choose Edit Security > Encryption at Rest.
-
In the Manage Encryption at Rest dialog, toggle Enable Encryption at Rest for this Universe.
When the encryption is enabled, the Key Management Service Config option appears.
-
Select your KMS configuration from the Key Management Service Config list. The list displays only preconfigured KMS configurations. If you need to create one, see Create a KMS configuration.
-
Click Apply.
Verify encryption at rest on a universe
You can verify that encryption at rest has been successfully configured as follows:
-
Navigate to the universe and select Nodes.
-
On one of the nodes, click Master under the PROCESSES column to open the overview.
-
To the right of Replication Factor, click See full config to open the Current Cluster Config page.
-
Verify that the configuration includes the following
encryption_info
section with the correct values:encryption_info { encryption_enabled: true universe_key_registry_encoded: ".*" key_in_memory: true latest_version_id: ".*" }
If your configuration includes AWS KMS, the following occurs: after the universe has been created with encryption at rest enabled, YugabyteDB Anywhere persists the universe key (because AWS does not persist any CMK-generated data keys themselves) and requests the plaintext of the master key from AWS KMS using the KMS configuration whenever it needs to provide the universe key to the master nodes. For more information, see Create a KMS configuration using AWS KMS.
Disable encryption at rest
You can disable encryption at rest for a universe as follows:
- Navigate to the universe for which you want to rotate the keys.
- Select Actions > Edit Security > Encryption-at-Rest.
- In the Manage Encryption at Rest dialog, toggle Enable Encryption at Rest for this Universe and click Apply.
To verify that encryption at rest is disabled, check the current cluster configuration for each node to see that it contains encryption_enabled: false
.
Back up and restore data from an encrypted at rest universe
When you back up and restore universe data with encryption at rest enabled, YugabyteDB Anywhere requires a KMS configuration to manage backing up and restoring encrypted universe data. Because of the possibility that you will need to restore data to a different universe that might have a different master key, YugabyteDB Anywhere ensures that all encrypted backups include a metadata file. The file includes a list of key IDs in the source's master key registry.
When restoring an encrypted backup to a universe, Yugabyte Anywhere detects the correct KMS configuration used to encrypt the backup. The KMS configuration must be available in the YugabyteDB Anywhere account.
When restoring your universe data, YugabyteDB Anywhere uses the selected KMS configuration to consume the master key ID and then retrieves the master key value for each key ID in the metadata file. Each of these keys are then sent to the destination universe to augment or build the universe key registry there.
Rotate keys
You can rotate the master and universe keys.
Note that you can choose to rotate the master key/KMS configuration or rotate the universe key, but you can't do both actions at the same time.
Rotate the master keys
As part of envelope encryption, the universe keys are protected by master keys. The master key resides in the KMS of your choosing and is used to encrypt and decrypt the universe keys as needed.
YugabyteDB Anywhere uses a KMS configuration to house the information about the master key to use in envelope encryption, as well as the credentials to use to access this master key.
You can change KMS configurations, and consequently the master keys used to encrypt the universe key, at any time. To accomplish this, do the following:
- Create a new KMS configuration with the new master key to use.
- After the KMS configuration is successfully created, go to the encryption at rest-enabled universe, and select Actions > Edit Security > Encryption at Rest.
- In the Manage Encryption at Rest dialog, choose the new KMS configuration from the Key Management Service Config list.
- Click Apply to use the new KMS configuration and master key for envelope encryption.
Deleting KMS configurations
Without a KMS configuration, you would longer be able to decrypt universe keys that were encrypted using the master key in the KMS configuration. Even after a key is rotated out of service, it may still be needed to decrypt data in backups and snapshots that were created while it was active. For this reason, you can only delete a KMS configuration if it has never been used by any universes.Rotate the universe keys
Enabling encryption and rotating a universe key works in two steps:
- Add the new universe key ID and key data to all the in-memory state of masters.
- Issue a cluster configuration change to enable encryption with the new universe key.
The cluster configuration change does the following:
- Decrypts the universe key registry with the master key.
- Adds the new universe key to the registry.
- Updates the cluster configuration with the new latest key ID.
- Encrypts the registry with the master key.
Once encryption is enabled with a new universe key, only new data is encrypted with this new key. Old data remains unencrypted, or encrypted with an older universe key, until compaction churn triggers a re-encryption with the new key.
To rotate the universe keys, perform the following:
- Navigate to the universe for which you want to rotate the keys.
- Select Actions > Edit Security > Encryption at Rest.
- Select Rotate Universe key and click Apply.