Customer keys overview

Encryption is a widely accepted mechanism to secure data against breaches. By default, Astra DB encrypts data, and cloud providers, such as AWS, offer encryption solutions.

Because cloud providers have access to the keys and ultimately to the data, you can further limit data access with customer keys. Customer keys are also commonly referred to as "bring-your-own-keys," "custom encryption keys," or "customer-managed keys."

In Astra DB, you can associate your defined key from the cloud provider’s key management service (KMS) with a customer key in Astra DB. Data encryption is defined as a process that transforms data into an encoded format. Once encoded, the data is incomprehensible without being decrypted. Data encryption is essential for organizations in all industries because it protects data from unauthorized access. When thinking of data encryption, there are two main scenarios:

Data at rest

Encrypting data while it is stored in the file storage in use.

Data in transit

Encrypting data while it travels through private or public networks.

Customer keys allows you to manage encryption data at rest.

Customer keys are supported for multi-region databases. Each region is encrypted using its own key. To use keys for a multi-region database, you must create a customer key in each provider-region combination in the KMS and Astra DB.

Benefits

Customer keys allow you to take full control of the encryption keys when storing data in the cloud. A KMS provides protection against data breaches by alerting you when tampering occurs. In a KMS, you can configure specific policies to adhere to compliance guidelines, such as auditing, key rotation, and access.

Setting up a customer key for your Astra DB database enables the separation of the encrypted lock and the key that encrypts and decrypts the data. This separation of lock and key is a best practice to secure data using encryption.

After setting up a customer managed key in your cloud provider account’s KMS, use Astra Portal or the DevOps API to associate an existing AWS CMK with a customer key in Astra DB.

Pricing

This feature is available for paid Astra DB Classic plans with a database in an AWS region. For information about managing your subscription, go to Pricing and billing.

Customer Managed Keys (CMK) in AWS might incur a monthly fee and a fee for use in excess of the AWS free tier. The fees are counted against the AWS KMS quotas for your AWS account. For details, see AWS Key Management Service Pricing and Quotas in the AWS documentation.

See also

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com