ScyllaDB Vector Search Early Access. Powering real-time AI, recommendations, and RAG at scale. Learn more

Menu

Products
- Quick Links
  
  Why ScyllaDB?
  
  Close-to-the-metal architecture handles millions of OPS with predictable single-digit millisecond latencies.
  Learn More
  
  Is ScyllaDB right for me?
  
  ScyllaDB is purpose-built for data-intensive apps that require high throughput & predictable low latency.
  Learn More
- Products
- Related Technologies
Developers
Users
Resources
- Featured Resource
  
  ScyllaDB University
  
  Level up your skills with our free NoSQL database courses.
  Take a Course
  
  ScyllaDB Blog
  
  Our blog keeps you up to date with recent news about the ScyllaDB NoSQL database and related technologies, success stories and developer how-tos.
  Read the Blog
- Resource Center
- Events
- Compare
Pricing
Contact Us
Contact Us
Get Started
Sign In
Search
Button Links

See all blog posts

Getting Started with Database-Level Encryption at Rest in ScyllaDB Cloud

By Ivan (Buff) Zlatoustov

July 9, 2024

Subscribe to Receive Blog Updates

Subscription Categories

All Posts
Events
Integrations
News
Performance
Releases
ScyllaDB
Seastar
Tutorials
User Stories
Developers Blog

Learn about ScyllaDB database-level encryption with Customer-Managed Keys & see how to set up and manage encryption with a customer key — or delegate encryption to ScyllaDB

ScyllaDB Cloud takes a proactive approach to ensuring the security of sensitive data: we provide database-level encryption in addition to the default storage-level encryption. With this added layer of protection, customer data is always protected against attacks. Customers can focus on their core operations, knowing that their critical business and customer assets are well-protected.

Our clients can either use a customer-managed key (CMK, our version of BYOK) or let ScyllaDB Cloud manage the CMK for them.

The feature is available in all cloud platforms supported by ScyllaDB Cloud.

This article explains how ScyllaDB Cloud protects customer data. It focuses on the technical aspects of ScyllaDB database-level encryption with Customer-Managed Keys (CMK).

Storage-level encryption

Encryption at rest is when data files are encrypted before being written to persistent storage. ScyllaDB Cloud always uses encrypted volumes to prevent data breaches caused by physical access to disks.

Database-level encryption

Database-level encryption is a technique for encrypting all data before it is stored in the database.   The ScyllaDB Cloud feature is based on the proven ScyllaDB Enterprise database-level encryption at rest, extended with the Customer Managed Keys (CMK) encryption control. This ensures that the data is securely stored – and the customer is the one holding the key. The keys are stored and protected separately from the database, substantially increasing security.

ScyllaDB Cloud provides full database-level encryption using the Customer Managed Keys (CMK) concept. It is based on envelope encryption to encrypt the data and decrypt only when the data is needed. This is essential to protect the customer data at rest.

Some industries, like healthcare or finance, have strict data security regulations. Encrypting all data helps businesses comply with these requirements, avoiding the need to prove that all tables holding sensitive personal data are covered by encryption.
It also helps businesses protect their corporate data, which can be even more valuable.

A key feature of CMK is that the customer has complete control of the encryption keys. Data encryption keys will be introduced later (it is confusing to cover them at the beginning).

The customer can:

Revoke data access at any time
Restore data access at any time
Manage the master keys needed for decryption
Log all access attempts to keys and data

Customers can delegate all key management operations to the ScyllaDB Cloud support team if they prefer this.

To achieve this, the customer can choose the ScyllaDB key when creating the cluster.

To ensure customer data is secure and adheres to all privacy regulations. By default, encryption uses the symmetrical algorithm AES-128, a solid corporate encryption standard covering all practical applications. Breaking AES-128 can take an immense amount of time, approximately trillions of years.

The strength can be increased to AES-256.

Note: Database-level encryption in ScyllaDB Cloud is available for all clusters deployed in Amazon Web Services (AWS) and Google Cloud Platform (GCP).

Encryption

To ensure all user data is protected, ScyllaDB will encrypt:

All user tables
Commit logs
Batch logs
Hinted handoff data

This ensures all customer data is properly encrypted.

The first step of the encryption process is to encrypt every record with a data encryption key (DEK). Once the data is encrypted with the DEK, it is sent to either AWS KMS or GCP KMS, where the master key (MK) resides. The DEK is then encrypted with the master key (MK), producing an encrypted DEK (EDEK or a wrapped key).

The master key remains in the KMS, while the EDEK is returned and stored with the data. The DEK used to encrypt the data is destroyed to ensure data protection. A new DEK will be generated the next time new data needs to be encrypted.

Decryption

Because the original non-encrypted DEK is destroyed when the EDEK was produced, the data cannot be decrypted. The EDEK cannot be used to decrypt the data directly because the DEK key is encrypted. It has to be decrypted, and for that, the master key will be required again.

This can only be decrypted with the master key(MK) in the KMS.

Once the DEK is unwrapped, the data can be decrypted.

As you can see, the data cannot be decrypted without the master key – which is protected at all times in the KMS and cannot be “copied” outside KMS.

By revoking the master key, the customer can disable access to the data independently from the database or application authorization.

Multi-region deployment

Adding new data centers to the ScyllaDB cluster will create additional local keys in those regions. All master keys support multi-regions, and a copy of each key resides locally in each region – ensuring those multi-regional setups are protected from regional outages for the cloud provider and against disaster.

The keys are available in the same region as the data center and can be controlled independently.

In case you use a Customer Key – cloud providers will charge you for the KMS. AWS will charge $1/month, GCP will change you $0.06 for each cluster prorated per hour. Each additional DC creates a replica that is counted as an additional key.

There is an additional cost per key request. ScyllaDB Enterprise utilizes those requests efficiently, resulting in an estimated monthly cost of up to $1 for a 9-node cluster.

Managing encryption keys adds another layer of administrative work in addition to the extra cost. ScyllaDB Cloud offers database clusters that can be encrypted using keys managed by ScyllaDB support. They provide the same level of protection, but our support team helps you manage the master keys.

The ScyllaDB keys are applied by default and are subsidized by ScyllaDB.

Creating a Cluster with Database-Level Encryption

Creating a cluster with database-level encryption requires:

A ScyllaDB Cloud account – If you don’t have one, you can create a ScyllaDB Cloud account here.
10 minutes with ScyllaDB Key or 20 minutes creating your own key

To create a cluster with database-level encryption enabled, we will need a master key. We can either create a customer-managed key using ScyllaDB Cloud UI or skip this step completely and use a ScyllaDB Managed Key, which will skip the next six steps.

In both cases, all the data will be protected by strong encryption at the database level.

Setting up the customer-managed key can be found in the database-level encryption documentation.

Transparent database-level encryption in ScyllaDB Cloud significantly boosts the security of your ScyllaDB clusters and backups.

Next Steps

Start using this feature in ScyllaDB Cloud.
Get your questions answered in our community forum and Slack channel.
Or, use our contact form.

oreilly-book-ads

Security ScyllaDB Cloud

About Ivan (Buff) Zlatoustov

Ivan has years of experience in diverse database technologies. He transitioned from hands-on development of database solutions to creating database products. He brings technical expertise and product innovation together to the world of database-as-a-service.

View all posts by this author

Previous Post Next Post

Related Posts

The Cost of Multitenancy

ScyllaDB X Cloud: An Inside Look with Avi Kivity (Part 3)

ScyllaDB X Cloud: An Inside Look with Avi Kivity (Part 2)

Start scaling with the world's best high performance NoSQL database.

Product

Product Overview
Architecture
ScyllaDB Enterprise
ScyllaDB Cloud
Benchmarks
Solutions
Release Notes
Install
Tools
Pricing

Resources

Documentation
Online Training
NoSQL Guides
Resource Center
Events
Customer Support
Customer Portal
Community Projects
Blog

Company

About Us
Team
Customers
Partners
News
Media Kit
Careers
Contact Us

Social

GitHub
LinkedIn
Twitter
YouTube
Facebook
Forums
Slack

Legal

Terms of Service
Privacy Policy
Data Subject Request Form
Data Privacy Framework
CCPA Privacy Notice
Cookie Policy
Trust Center
Legal Center
Contact

2025 ©ScyllaDB | ScyllaDB, and ScyllaDB Cloud, are registered trademarks of ScyllaDB, Inc.

Apache® and Apache Cassandra® are either registered trademarks or trademarks of the Apache Software Foundation in the United States and/or other countries. Amazon DynamoDB® and Dynamo Accelerator® are trademarks of Amazon.com, Inc. No endorsements by The Apache Software Foundation or Amazon.com, Inc. are implied by the use of these marks.