Encryption at rest BETA

For added security, you can encrypt your clusters (including backups) using a customer managed key (CMK) residing in a cloud provider Key Management Service (KMS). You grant YugabyteDB Managed access to the key with the requisite permissions to perform cryptographic operations using the key to secure the databases in your clusters.

You enable YugabyteDB cluster encryption at rest (EAR) when you create it. See Create your cluster.

Note that, regardless of whether you enable YugabyteDB EAR for a cluster, YugabyteDB Managed uses volume encryption for all data at rest, including your account data, your clusters, and their backups. Data is AES-256 encrypted using native cloud provider technologies - S3 and EBS volume encryption for AWS, and server-side and persistent disk encryption for GCP. Volume encryption keys are managed by the cloud provider and anchored by hardware security appliances.

Limitations

• Currently, only CMKs in AWS KMS are supported.
• Currently, you cannot enable cluster EAR for existing clusters.
• You cannot remove encryption from clusters that have EAR enabled.
• After EAR is enabled for a cluster, you cannot change keys.

Enabling EAR can impact cluster performance. You should monitor your workload after enabling this feature.

Prerequisites

AWS

• Single-region symmetric encryption key created in AWS KMS. The key resource should have the following permissions:
  • kms:Encrypt
  • kms:Decrypt
  • kms:GenerateDataKeyWithoutPlaintext
  • kms:DescribeKey
  • kms:ListAliases
• Amazon Resource Name (ARN) of the CMK. For more information, refer to Amazon Resource Names in the AWS documentation.
• An access key for an IAM identity with permission to encrypt and decrypt using the CMK. An access key consists of an access key ID and the secret access key. For more information, refer to Managing access keys for IAM users in the AWS documentation.

For more information on AWS KMS, refer to AWS Key Management Service in the AWS documentation.