Encryption at rest

This page describes how to enable and disable encryption at rest in a YugabyteDB cluster with auser generated key.

Enabling encryption

Step 1. Create encryption key

First, we will generate the universe key data. This data can have length 32, 40, or 48. Larger keysare slightly more secure with slightly worse performance. Run the following on your localfilesystem.

  1. $ openssl rand -out universe_key [ 32 | 40 | 48 ]

Step 2. Copy key to master nodes

In this example, we assume a 3 node RF=3 cluster with addresses ip1, ip2, ip3.Copy the universe key onto each master filesystem, in the same location on every node.

  1. $ for ip in ip1 ip2 ip3
  2.   do
  3.     scp -i <ssh_key> -P 54422 universe_key ip:/mnt/d0/yb-data/master
  4.   done

NoteThe key can live in any subdir of the master dir, as long as it lives in the same place on eachnode. In addition, the data dir may vary depending on how the cluster is created.

Step 3. Enable cluster-wide encryption

Use yb-admin to tell the cluster about the new universe key.

  1. $ yb-admin -master_addresses ip1:7100,ip2:7100,ip3:7100 rotate_universe_key
  2. /mnt/d0/yb-data/master/universe_key

NoteBecause data is encrypted in the background as part of flushes to disk and compactions, only newdata will be encrypted. Therefore, the call should return quickly.

Step 4. Verify encryption enabled

To check the encryption status of the cluster, run the following yb-admin command.

  1. $ yb-admin -master_addresses ip1:7100,ip2:7100,ip3:7100 is_encryption_enabled
  1. Encryption status: ENABLED with key id <key_id>

Rotating a new key

Step 1. Creating a new key

First we create the key to be rotated.

  1. $ openssl rand -out universe_key_2 [ 32 | 40 | 48 ]

NoteThe new key name must be distinct from the previous key name.

Step 2. Copy new key to master nodes

As with enabling, copy the universe key onto each master filesystem,in the same location on every node.

  1. $ for ip in ip1 ip2 ip3
  2.   do
  3.     scp -i <ssh_key> -P 54422 universe_key ip:/mnt/d0/yb-data/master/
  4.   done

Step 3. Rotate key

Use yb-admin to tell the cluster about the new universe key.

  1. $ yb-admin -master_addresses ip1:7100,ip2:7100,ip3:7100 rotate_universe_key
  2. /mnt/d0/yb-data/master/universe_key_2

Step 4. Verify new key

Check that the new key is encrypting the cluster.

  1. $ yb-admin -master_addresses ip1:7100,ip2:7100,ip3:7100 is_encryption_enabled
  1. Encryption status: ENABLED with key id <key_id_2>

<key_id_2> should be different from the previous <key_id>.

Disable encryption

Step 1. Disable cluster-wide encryption

Use yb-admin to disable encryption.

  1. $ yb-admin -master_addresses ip1:7100,ip2:7100,ip3:7100 disable_encryption

Step 2. Verify encryption disabled

Check that encryption is disabled.

  1. $ yb-admin -master_addresses ip1:7100,ip2:7100,ip3:7100 is_encryption_enabled
  1. Encryption status: DISABLED