Enable encryption at rest
Data at rest in a YugabyteDB universe should be protected from unauthorized users by encrypting it. You do this by enabling encryption at rest. When enabled, the data in your universe is secured using envelope encryption, whereby multiple encryption keys are used to encrypt data, and those keys are in turn encrypted by other keys in a key hierarchy.
YugabyteDB Anywhere uses the following types of keys for envelope encryption:
- Data encryption keys (DEK): Symmetric keys used to directly encrypt the data. Each file flushed from memory has a unique DEK. This key is generated in the database layer of YugabyteDB.
- Universe key: Symmetric key used to encrypt and decrypt DEKs. A single universe key is used for all the DEKs in a universe. This key is generated by YugabyteDB Anywhere.
- Master key: The key at the highest level in the key hierarchy. The master key is used to encrypt universe keys. This key is a customer managed key (CMK) stored and managed in a Key Management Service (KMS). YugabyteDB Anywhere supports CMKs in AWS KMS, GCP KMS, Azure Key Vault, and Hashicorp Vault.
For more information on the features, assumptions, design, data key management, universe keys, key rotations, master failures, and adding a node, see Encryption at rest in YugabyteDB.
Enable encryption at rest during universe creation
You can enable encryption at rest during universe creation as follows:
- Open the YugabyteDB Anywhere UI and navigate to Universes.
- Click Create Universe to open the Universe Configuration page.
- After you select a provider, the Instance Configuration section expands to show more options.
- Select the Enable Encryption at Rest option. The Key Management Service Config option appears.
- Select your key management service (KMS) configuration from the Key Management Service Config list. The list displays only preconfigured KMS configurations. If you need to create one, see Create a KMS configuration.
- Continue with your universe creation, then click Create.
You can verify that encryption at rest has been successfully configured as follows:
-
Open the YugabyteDB Anywhere UI and navigate to the universe.
-
Select Nodes.
-
On one of the nodes, click Master under the PROCESSES column to open the overview.
-
To the right of Replication Factor, click See full config to open the Current Cluster Config page.
-
Verify that the configuration includes the following
encryption_info
section with the correct values:encryption_info { encryption_enabled: true universe_key_registry_encoded: ".*" key_in_memory: true latest_version_id: ".*" }
If your configuration includes AWS KMS, the following occurs: after the universe has been created with encryption at rest enabled, YugabyteDB Anywhere persists the universe key (because AWS does not persist any CMK-generated data keys themselves) and requests the plaintext of the master key from AWS KMS using the KMS configuration whenever it needs to provide the universe key to the master nodes. For more information, see Create a KMS configuration using AWS KMS.
Enable encryption at rest on an existing universe
You can enable encryption at rest on an existing universe as follows:
-
Open the YugabyteDB Anywhere UI and click Universes.
-
Select the universe for which you want to enable encryption.
-
Select Actions > Edit Security > Encryption-at-Rest.
-
In the Manage Encryption at Rest dialog, toggle Enable Encryption at Rest for this Universe.
When the encryption is enabled, the Key Management Service Config option appears.
-
Select your KMS configuration from the Key Management Service Config list. The list displays only preconfigured KMS configurations. If you need to create one, see Create a KMS configuration.
-
Click Apply.
-
Verify that the
EnableEncryptionAtRest
task completed successfully.
Back up and restore data from an encrypted at rest universe
When you back up and restore universe data with encryption at rest enabled, YugabyteDB Anywhere requires a KMS configuration to manage backing up and restoring encrypted universe data. Because of the possibility that you will need to restore data to a different universe that might have a different master key, YugabyteDB Anywhere ensures that all encrypted backups include a metadata file. The file includes a list of key IDs in the source's master key registry.
When restoring an encrypted backup to a universe, Yugabyte Anywhere detects the correct KMS configuration used to encrypt the backup. The KMS configuration must be available in the YugabyteDB Anywhere account.
When restoring your universe data, YugabyteDB Anywhere uses the selected KMS configuration to consume the master key ID and then retrieves the master key value for each key ID in the metadata file. Each of these keys are then sent to the destination universe to augment or build the universe key registry there.
Rotate the master keys
As part of envelope encryption, the universe keys are protected by master keys. The master key resides in the KMS of your choosing and is used to encrypt and decrypt the universe keys as needed.
YugabyteDB Anywhere uses a KMS configuration to house the information about the master key to use in envelope encryption, as well as the credentials to use to access this master key.
You can change KMS configurations, and consequently the master keys used to encrypt the universe key, at any time. To accomplish this, do the following:
- Create a new KMS configuration with the new master key to use.
- After the KMS configuration is successfully created, go to the encryption at rest-enabled universe, and select Actions > Edit Security > Encryption at Rest.
- In the Manage Encryption at Rest dialog, choose the new KMS configuration from the Key Management Service Config list.
- Click Apply to use the new KMS configuration and master key for envelope encryption.
Note that you can choose to rotate the master key/KMS configuration or rotate the universe key. You can't perform both actions at the same time.
Deleting KMS configurations
When you delete a KMS configuration, you will no longer be able to decrypt universe keys that were encrypted using the master key in the KMS configuration. Before deleting a configuration, make sure that you no longer need the KMS configuration, master key, or any of the key versions. Retain all KMS configurations used to encrypt data in backups and snapshots.Rotate the universe keys
Enabling encryption and rotating a universe key works in two steps:
- Add the new universe key ID and key data to all the in-memory state of masters.
- Issue a cluster configuration change to enable encryption with the new universe key.
The cluster configuration change does the following:
- Decrypts the universe key registry with the master key.
- Adds the new universe key to the registry.
- Updates the cluster configuration with the new latest key ID.
- Encrypts the registry with the master key.
Once encryption is enabled with a new universe key, only new data is encrypted with this new key. Old data remains unencrypted, or encrypted with an older universe key, until compaction churn triggers a re-encryption with the new key.
To rotate the universe keys, perform the following:
- Open the YugabyteDB Anywhere UI and navigate to the universe for which you want to rotate the keys.
- Select Actions > Edit Security > Encryption at Rest.
- Select Rotate Universe key and click Apply.
Disable encryption at rest
You can disable encryption at rest for a universe as follows:
- Open the YugabyteDB Anywhere UI and navigate to the universe for which to disable encryption.
- Select Actions > Edit Security > Encryption-at-Rest.
- In the Manage Encryption at Rest dialog, toggle Enable Encryption at Rest for this Universe and click Apply.
To verify that encryption at rest is disabled, check the current cluster configuration for each node to see that it contains encryption_enabled: false
.