Customer keys overview
Encryption is a widely accepted mechanism to secure data against breaches. By default, Astra DB encrypts data, and cloud providers, such as AWS, offer encryption solutions.
Because cloud providers have access to the keys and ultimately to the data, you can further limit data access with customer keys. Customer keys are also commonly referred to as "bring-your-own-keys," "custom encryption keys," or "customer-managed keys."
In Astra DB, you can associate your defined key from the cloud provider’s key management service (KMS) with a customer key in Astra DB. Data encryption is defined as a process that transforms data into an encoded format. Once encoded, the data is incomprehensible without being decrypted. Data encryption is essential for organizations in all industries because it protects data from unauthorized access. When thinking of data encryption, there are two main scenarios:
- Data at rest
-
Encrypting data while it is stored in the file storage in use.
- Data in transit
-
Encrypting data while it travels through private or public networks.
Customer keys allows you to manage encryption data at rest.
Customer keys are supported for multi-region databases. Each region is encrypted using its own key. To use keys for a multi-region database, you must create a customer key in each provider-region combination in the KMS and Astra DB. |
Benefits
Customer keys allow you to take full control of the encryption keys when storing data in the cloud. A KMS provides protection against data breaches by alerting you when tampering occurs. In a KMS, you can configure specific policies to adhere to compliance guidelines, such as auditing, key rotation, and access.
Setting up a customer key for your Astra DB database enables the separation of the encrypted lock and the key that encrypts and decrypts the data. This separation of lock and key is a best practice to secure data using encryption.
After setting up a customer managed key in your cloud provider account’s KMS, use Astra Portal or the DevOps API to associate an existing AWS CMK with a customer key in Astra DB.
Pricing
This feature is available for paid Astra DB Classic plans with a database in an AWS region. For information about managing your subscription, go to Pricing and billing.
Customer Managed Keys (CMK) in AWS might incur a monthly fee and a fee for use in excess of the AWS free tier. The fees are counted against the AWS KMS quotas for your AWS account. For details, see AWS Key Management Service Pricing and Quotas in the AWS documentation.