Customer Managed Encryption Keys

Overview

“Encryption” encompasses the processes and controls used to ensure that data remains inaccessible to unauthorized users and to protect the data transferred between users, client applications, and the computers/services involved. In accordance with best practices, SingleStore applies encryption to data both in transit and data at rest. Refer to Encryption for more information.

Customer Managed Keys

Encryption keys are created and maintained with a cloud key management service (KMS) using key material owned by the cloud service provider. SingleStore does not have access to these encryption keys, nor can it manage them. SingleStore uses these keys solely for encryption and decryption operations.

A Managed Service customer can use their own key stored in their cloud key vault to encrypt data at rest. This provides the customer with control over their own data, including the ability to grant and revoke permission to it using this key, and implement a key rotation schedule based on corporate policy. In the dedicated edition, encryption of data at rest using customer managed encryption can use separate keys for encryption of the data and the backup bucket.

Benefits of using Customer Managed Keys

The benefits of using of customer managed keys for data encryption at rest include:

  • A customer can maintain the proper set of permissions for SingleStore to access the KMS keys.

  • Once an existing key is rotated, the new key will be used for data protection. A customer can also set the automatic key rotation in their key vault (such as with AWS KMS), which will rotate the key every year. This allows a customer to own the data lifecycle and protect their data based on business priorities.

  • A customer can control/restrict access to their data for SingleStore and the cloud service provider. In the case of a data breach, a customer can easily revoke access to their data. This approach allows Zero Trust to be achieved with SingleStore. Once key access is revoked, SingleStore will no longer have access to a customer’s data. To resume normal cluster operations, the customer must explicitly grant SingleStore access to their data.

This section provides instructions on how to use customer managed keys with AWS, with instructions for Azure and GCP to be provided at a later date.