To use encryption at rest
YugabyteDB Anywhere (YBA) uses encryption at rest to secure data in YugabyteDB clusters. YBA uses key management services (KMS) to store the keys used to encrypt and decrypt the data. The key details are stored in YBA in KMS configurations. The cloud accounts associated with the KMS provider require permissions to manage the keys.
Encryption at rest in YugabyteDB Anywhere supports the use of Amazon Web Services (AWS) KMS.
The master key resource policy should include the following key policy permissions:
kms:Encrypt
kms:Decrypt
kms:GenerateDataKeyWithoutPlaintext
kms:DescribeKey
kms:DisableKey
kms:ScheduleKeyDeletion
kms:CreateAlias
kms:DeleteAlias
kms:UpdateAlias
Note
To support master key rotation, after upgrading YBA from a version prior to 2.17.3, add thekms:Encrypt
permission to any existing keys that are used by any AWS KMS configurations, if not already present.
The AWS user associated with a KMS configuration requires the following minimum Identity and Access Management (IAM) KMS-related permissions:
kms:CreateKey
kms:ListAliases
kms:ListKeys
kms:CreateAlias
kms:DeleteAlias
kms:UpdateAlias
kms:TagResource
Encryption at rest in YugabyteDB Anywhere supports the use of Google Cloud KMS.
The Google Cloud user associated with a KMS configuration requires a custom role assigned to the service account with the following KMS-related permissions:
cloudkms.keyRings.create
cloudkms.keyRings.get
cloudkms.cryptoKeys.create
cloudkms.cryptoKeys.get
cloudkms.cryptoKeyVersions.useToEncrypt
cloudkms.cryptoKeyVersions.useToDecrypt
cloudkms.locations.generateRandomBytes
If you are planning to use an existing cryptographic key with the same name, it must meet the following criteria:
- The primary cryptographic key version should be in the Enabled state.
- The purpose should be set to symmetric ENCRYPT_DECRYPT.
- The key rotation period should be set to Never (manual rotation).
Note that YugabyteDB Anywhere does not manage the key ring and deleting the KMS configuration does not destroy the key ring, cryptographic key, or its versions on Google Cloud KMS.
Encryption at rest in YugabyteDB Anywhere supports the use of Microsoft Azure Key Vault.
Before defining a KMS configuration with YugabyteDB Anywhere, you need to create a key vault through the Azure portal. The following settings are required:
- Set the vault permission model as Vault access policy.
- Add the application to the key vault access policies with the minimum key management operations permissions of Get and Create (unless you are pre-creating the key), as well as cryptographic operations permissions of Unwrap Key and Wrap Key.
If you are planning to use an existing cryptographic key with the same name, it must meet the following criteria:
- The primary key version should be in the Enabled state.
- The activation date should either be disabled or set to a date before the KMS configuration creation.
- The expiration date should be disabled.
- Permitted operations should have at least WRAP_KEY and UNWRAP_KEY.
- The key rotation policy should not be defined in order to avoid automatic rotation.
Note that YugabyteDB Anywhere does not manage the key vault and deleting the KMS configuration does not delete the key vault, master key, or key versions on Azure Key Vault.