Customer keys overview
Encryption is a widely accepted mechanism to secure data against breaches. By default, Astra DB encrypts data, and cloud providers, such as AWS and Google Cloud, offer encryption solutions. Because cloud providers have access to the keys and ultimately to the data, you can further limit data access with customer keys.
Customer keys are also commonly referred to as "bring-your-own-keys," "custom encryption keys," or "customer-managed keys."
You can use the Astra Portal and DevOps API to manage customer keys in Astra DB.
Customer keys apply to only databases created after the customer key is configured. Customer keys cannot be applied to existing databases. Existing databases continue to use vendor-provided keys. |
Astra DB allows you to associate your defined key from the cloud provider’s key management service (KMS) with a customer key in Astra DB. Data encryption is defined as a process that transforms data into an encoded format. Once encoded, the data is incomprehensible without being decrypted. Data encryption is essential for organizations in all industries because it protects data from unauthorized access. When thinking of data encryption, there are two main scenarios:
- Data at rest
-
Encrypting data while it is stored in the file storage in use.
- Data in transit
-
Encrypting data while it travels through private or public networks.
Customer keys allows you to manage encryption data at rest.
Customer keys are supported for multi-region databases. Each region is encrypted using its own key. To use keys for a multi-region database, you must create a customer key in each provider-region combination in the KMS and Astra DB. |
Benefits
Customer keys allow you to take full control of the encryption keys when storing data in the cloud. A KMS provides protection against data breaches by alerting you when tampering occurs. In a KMS, you can configure specific policies to adhere to compliance guidelines, such as auditing, key rotation, and access.
Setting up a customer key for your Astra DB database enables the separation of the encrypted lock and the key that encrypts and decrypts the data. This separation of lock and key is a best practice to secure data using encryption.
After setting up a customer managed key in your cloud provider account’s KMS, use Astra Portal or the DevOps API to associate an existing AWS CMK with a customer key in Astra DB.
If you have more stringent compliance requirements, consider using driver-level encryption. For more information, see the Column Encryption documentation for the Python Cassandra driver or the C# Cassandra driver. |
Pricing
This feature requires a paid Astra DB Serverless subscription and a database in an AWS or Google Cloud region. For information about managing your Astra DB Serverless subscription, see Subscriptions and billing.
AWS CMK fees
Customer Managed Keys (CMK) in AWS might incur a monthly fee and a fee for use in excess of the AWS free tier. The fees are counted against the AWS KMS quotas for your AWS account. For details, see AWS Key Management Service Pricing and Quotas in the AWS documentation.
Google Cloud CMEK fees
Customer Managed Encryption Keys (CMEK) in Google Cloud might incur a monthly fee and a fee for use in excess of the Google Cloud free tier. The fees are counted against the Google Cloud KMS quotas for your project. For details, see Customer Managed Encryption Key in the Google Cloud documentation.