Announcing ScyllaDB 6.0 — True Elastic Scale | Learn More

See all blog posts

Getting Started with Database-Level Encryption at Rest in ScyllaDB Cloud

Learn about ScyllaDB database-level encryption with Customer-Managed Keys & see how to set up and manage encryption with a customer key — or delegate encryption to ScyllaDB

ScyllaDB Cloud takes a proactive approach to ensuring the security of sensitive data: we provide database-level encryption in addition to the default EC2 storage-level encryption. With this added layer of protection, customer data is always protected against attacks. Customers can focus on their core operations, knowing that their critical business and customer assets are well-protected.

Customers can either use a customer-managed key or let ScyllaDB Cloud manage a key for them.

This article explains how ScyllaDB Cloud protects customer data. It focuses on the technical aspects of ScyllaDB database-level encryption with Customer-Managed Keys (CMK). Specifically, it includes a walkthrough of how to set up and manage encryption on ScyllaDB Cloud clusters with a customer key or how to delegate encryption to ScyllaDB.

Storage-level encryption

Encryption at rest is when data files are encrypted before being written to persistent storage. ScyllaDB Cloud always uses encrypted volumes to prevent data breaches caused by physical access to disks.

Database-level encryption

Database-level encryption is a technique for encrypting all data before it is stored in the database. 
 The ScyllaDB Cloud feature is based on the proven ScyllaDB Enterprise database-level encryption at rest, extended with the Customer Managed Keys (CMK) encryption control. This ensures that the data is securely stored – and the customer is the one holding the key. The keys are stored and protected separately from the database, substantially increasing security.

ScyllaDB Cloud provides full database-level encryption using the Customer Managed Keys (CMK) concept. It is based on envelope encryption to encrypt the data and decrypt only when the data is needed. This is essential to protect the customer data at rest.

Some industries, like healthcare or finance, have strict data security regulations. Encrypting all data helps businesses comply with these requirements, avoiding the need to prove that all tables holding sensitive personal data are covered by encryption.
It also helps businesses protect their corporate data, which can be even more valuable.

A key feature of CMK is that the customer has complete control of the encryption keys. Data encryption keys will be introduced later (it is confusing to cover them at  the beginning).

The customer can:

  • Revoke data access at any time
  • Restore data access at any time
  • Manage the master keys needed for decryption
  • Log all access attempts to keys and data

Customers can delegate all key management operations to the ScyllaDB Cloud support team if they prefer this.

To do this, the customer can choose the ScyllaDB key when creating the cluster.

To ensure customer data is secure and adheres to all privacy regulations. By default, encryption uses the symmetrical algorithm AES-128, a solid corporate encryption standard covering all practical applications. Breaking AES-128 can take an immense amount of time, approximately trillions of years.

The strength can be increased to to AES-256.

Note: Database-level encryption in ScyllaDB Cloud is available for all clusters deployed in Amazon Web Services. Support for other cloud services, like Google Cloud KMS, will come later this year.


To ensure all user data is protected, ScyllaDB will encrypt:

  • All user tables
  • Commit logs
  • Batch logs
  • Hinted handoff data

This ensures all customer data is properly encrypted.

The first step of the encryption process is to encrypt every record with a data encryption key (DEK). Once the data is encrypted with the DEK, it is sent to AWS KMS, where the master key (MK) resides. The DEK is then encrypted with the master key (MK), producing an encrypted DEK (EDEK or a wrapped key).

The master key remains in the KMS, while the EDEK is returned and stored with the data. The DEK used to encrypt the data is destroyed to ensure data protection. A new DEK will be generated the next time new data needs to be encrypted.


Because the original non-encrypted DEK is destroyed when the EDEK was produced, the data cannot be decrypted. The EDEK cannot be used to decrypt the data directly because the DEK key is encrypted. It has to be decrypted, and for that, the master key will be required again.

This can only be decrypted with the master key(MK) in the KMS.

Once the DEK is unwrapped, the data can be decrypted.

As you can see, the data cannot be decrypted without the master key – which is protected at all times in the KMS and cannot be “copied” outside of KMS.

By revoking the master key, the customer can disable access to the data independently from the database or application authorization.

Multi-region deployment

Adding new data centers to the ScyllaDB cluster will create additional local keys in those regions. All master keys support multi-regions, and a copy of each key resides locally in each region – ensuring those multi-regional setups are protected from regional outages for the cloud provider and against disaster.

The keys are available in the same region as the data center and can be controlled independently.

In case you use a Customer Key – AWS KMS will charge $1/month for each cluster prorated per hour. Each additional DC creates a replica that is counted as an additional key.

There is an additional cost per key request. ScyllaDB Enterprise utilizes those requests efficiently, resulting in an estimated monthly cost of up to $1 for a 9-node cluster.

Managing encryption keys adds another layer of administrative work in addition to the extra cost. ScyllaDB Cloud offers database clusters that can be encrypted using keys managed by ScyllaDB support. They provide the same level of protection, but our support team helps you manage the master keys.

The ScyllaDB keys are applied by default and are free to our customers.

Creating a Cluster with Database-Level Encryption

Creating a cluster with database-level encryption requires:

To create a cluster with database-level encryption enabled, we will need a master key. We can either create a customer-managed key using ScyllaDB Cloud UI or skip this step completely and use a ScyllaDB Managed Key, which will skip the next six steps.

In both cases, all the data will be protected by strong encryption at the database level.

Create a Customer Managed Key

After logging into the ScyllaDB Cloud portal, select the “Security” option from the user menu.

Then, we can use the “Add Key” option.

The Add Key menu will be presented. It allows selection of cloud providers and regions. Currently, only the region can be selected. Select the region where you plan to deploy your cluster.
For multi-DC setups, choose the cluster where your first cluster will be. For my cluster, it will be US East. Click the “Set Key.”

The key is successfully configured, but it also has to be created in AWS on my behalf so I can have full control over it. This is done using CloudFormation Stack, which allows you to execute a cloud stack with your AWS permissions that will provision the key directly in AWS KMS.

Click Launch Stack in the summary pop-up to open the CloudFormation Stack in a new tab and provision your key in AWS. The AWS page will request a login and “StackPrincipal.”

The role of the “StackPrincipal” has to be provided in ARN format. Assuming your user has enough permissions, the following cloudshell command will return the ARN as the last line of the response.

[CloudShell-user@ip-10-136-55-116 ~]$ aws sts get-caller-identity 
"UserId": "AR**********************************", "Account": "023***********", 
"Arn": "arn:aws:sts::023**************************" 

Once you successfully execute the stack, the key should be created, and ScyllaDB will get permission to use it with a cluster of your choice.

In ScyllaDB, you will see the key name and a green “available,” meaning the key is ready and can be assigned.

You can still manage the key. However, if you disable it, it can no longer encrypt or decrypt the data. The next step is to create a cluster with the new key.

Choose the Dedicated VM or the Free Trial option from the New Cluster menu.

Then, select Customer Key, and you can select the key we created. The key will show only if the cluster and key regions match.

Use ScyllaDB Managed Key

If you prefer to use ScyllaDB Managed Key, skip all the above steps and choose ScyllaDB Key instead. This is an easier option that encrypts the data on the database level with the same encryption but the key will be managed by ScyllaDB Cloud agents.

Create an Encrypted Cluster

Once the master key is chosen, click Next and wait a few minutes until the cluster is created with the selected encryption option.

You can see the indicator for encryption at rest will be enabled. That’s it! Your cluster is now using database-level encryption with the selected master key.

Transparent database-level encryption in ScyllaDB Cloud significantly boosts the security of your ScyllaDB clusters and backups.


Next Steps

About Ivan (Buff) Zlatoustov

Ivan has years of experience in diverse database technologies. He transitioned from hands-on development of database solutions to creating database products. He brings technical expertise and product innovation together to the world of database-as-a-service.