SingleStore Managed Service

Encryption

Overview

This section covers data encryption in transit and at rest, including data masking.

Encryption in Transit

For data in transit, SingleStore supports TLS 1.2 for all connections to the database. Transport Layer Security (TLS) uses a combination of symmetric and asymmetric encryption focusing on the uses of key pairs: a public key and a private key.

To ensure a secure connection to SingleStore, SQL clients must be properly configured to both require a secure connection and to verify the supplied server certificate. If a customer has REQUIRE SSL configured, users will not be able to connect without SSL. This can compromise security and lead to man-in-the-middle attacks, where a would-be attacker can impersonate a server when SSL is disabled, or create a secure connection by impersonating a server using an illegitimate server certificate.

Refer to Refer to Connect to SingleStore using TLS/SSL for additional information.

Encryption at Rest

For data at rest, SingleStore utilizes the best-practice solution provided by the cloud-hosting partner, which is AES-256 for AWS, Azure, and Google Cloud. This is an encryption algorithm using a 256-bit key length and is currently the strongest encryption algorithm available. In a standard configuration, the cloud-managed KMS key is used to encrypt persistent-storage (i.e., EBS and S3) at rest.

Key access and usage is captured using AWS CloudTrail. (As previously noted, SingleStore cannot access the shared key material directly). For the Data Plane, SingleStore logs all access to the clusters, and runs the clusters with audit logging enabled and captured. For audit logging purposes, ADMIN-ONLY-INCLUDING-PARSE-FAILS is used to provide completeness. Audit logs can be accessed via the portal and, in the future, SingleStore will provide a customer accessible API for collecting audit logs directly.

Data Masking

SingleStore Managed Service has confirmed and certified integration with Thales CipherTrust Transparent Encryption.

There is a continued effort to work with additional vendors providing a wider range of encryption options for SingleStore Managed Service.