docs/content/stable/yugabyte-platform/security/enable-encryption-at-rest.md
{{< page-finder/head text="Encryption at rest" subtle="across different products">}} {{< page-finder/list icon="/icons/database-hover.svg" text="YugabyteDB" url="../../../secure/encryption-at-rest/" >}} {{< page-finder/list icon="/icons/server-hover.svg" text="YugabyteDB Anywhere" current="" >}} {{< page-finder/list icon="/icons/cloud-hover.svg" text="YugabyteDB Aeon" url="/stable/yugabyte-cloud/cloud-secure-clusters/managed-ear/" >}} {{< /page-finder/head >}}
Data at rest in a YugabyteDB universe should be protected from unauthorized users by encrypting it. You do this by enabling encryption at rest. When enabled, the data in your universe is secured using envelope encryption, whereby multiple encryption keys are used to encrypt data, and those keys are in turn encrypted by other keys in a key hierarchy.
YugabyteDB Anywhere uses the following types of keys for envelope encryption:
| Key | Description |
|---|---|
| Data encryption keys (DEK) | Symmetric keys used to directly encrypt the data. Each file flushed from memory has a unique DEK. This key is generated in the database layer of YugabyteDB. |
| Universe key | Symmetric key used to encrypt and decrypt DEKs. A single universe key is used for all the DEKs in a universe. This key is generated by YugabyteDB Anywhere. |
| Master key | The key at the highest level in the key hierarchy. The master key is used to encrypt universe keys. This key is a customer managed key (CMK) stored and managed in a Key Management Service (KMS). |
Master key details are stored in YugabyteDB Anywhere in KMS configurations, and YugabyteDB Anywhere supports CMKs in AWS KMS, GCP KMS, Azure Key Vault, and Hashicorp Vault. You enable encryption at rest for a universe by assigning the universe a KMS configuration. For instructions on creating a KMS configuration, see Create a KMS configuration.
For more information on the features, assumptions, design, data key management, universe keys, key rotations, master failures, and adding a node, see Encryption at rest in YugabyteDB.
You can enable encryption at rest when creating a universe, and enable and disable encryption at rest on existing universes.
You enable encryption at rest during universe creation as follows:
You enable encryption at rest on an existing universe as follows:
Navigate to your universe, click Actions, and choose More > Edit Security > Encryption at Rest.
In the Manage Encryption at Rest dialog, toggle Enable Encryption at Rest for this Universe.
When the encryption is enabled, the Key Management Service Config option appears.
Select your KMS configuration from the Key Management Service Config list. The list displays only preconfigured KMS configurations. If you need to create one, see Create a KMS configuration.
Click Apply.
You can verify that encryption at rest has been successfully configured as follows:
Navigate to the universe and select Nodes.
On one of the nodes, click Master under the PROCESSES column to open the overview.
To the right of Replication Factor, click See full config to open the Current Cluster Config page.
Verify that the configuration includes the following encryption_info section with the correct values:
encryption_info {
encryption_enabled: true
universe_key_registry_encoded: ".*"
key_in_memory: true
latest_version_id: ".*"
}
If your configuration includes AWS KMS, the following occurs: after the universe has been created with encryption at rest enabled, YugabyteDB Anywhere persists the universe key (because AWS does not persist any CMK-generated data keys themselves) and requests the plaintext of the master key from AWS KMS using the KMS configuration whenever it needs to provide the universe key to the master nodes. For more information, see Create a KMS configuration using AWS KMS.
You can disable encryption at rest for a universe as follows:
To verify that encryption at rest is disabled, check the current cluster configuration for each node to see that it contains encryption_enabled: false.
When you back up and restore universe data with encryption at rest enabled, YugabyteDB Anywhere requires a KMS configuration to manage backing up and restoring encrypted universe data. Because of the possibility that you will need to restore data to a different universe that might have a different master key, YugabyteDB Anywhere ensures that all encrypted backups include a metadata file. The file includes a list of key IDs in the source's master key registry.
When restoring an encrypted backup to a universe, Yugabyte Anywhere detects the correct KMS configuration used to encrypt the backup. The KMS configuration must be available in the YugabyteDB Anywhere account.
When restoring your universe data, YugabyteDB Anywhere uses the selected KMS configuration to consume the master key ID and then retrieves the master key value for each key ID in the metadata file. Each of these keys are then sent to the destination universe to augment or build the universe key registry there.
You can rotate the master and universe keys.
Note that you can choose to rotate the master key/KMS configuration or rotate the universe key, but you can't do both actions at the same time.
As part of envelope encryption, the universe keys are protected by master keys. The master key resides in the KMS of your choosing and is used to encrypt and decrypt the universe keys as needed.
YugabyteDB Anywhere uses a KMS configuration to house the information about the master key to use in envelope encryption, as well as the credentials to use to access this master key.
You can change KMS configurations, and consequently the master keys used to encrypt the universe key, at any time. To accomplish this, do the following:
{{< warning title="Deleting KMS configurations" >}}
Without a KMS configuration, you would no longer be able to decrypt universe keys that were encrypted using the master key in the KMS configuration. Even after a key is rotated out of service, it may still be needed to decrypt data in backups and snapshots that were created while it was active. For this reason, you can only delete a KMS configuration if it has never been used by any universes.
{{< /warning >}}
Enabling encryption and rotating a universe key works in two steps:
The cluster configuration change does the following:
Once encryption is enabled with a new universe key, only new data is encrypted with this new key. Old data remains unencrypted, or encrypted with an older universe key, until compaction churn triggers a re-encryption with the new key.
To rotate the universe keys, perform the following: