System Hardware Encryption

This section describes how to set up and enable hardware-based encryption on the disk drives installed in the appliance. Encryption works on disk drives for both the manager nodes and the compute blades.

Encryption Concepts

The purpose of data encryption is to prevent data visibility in the event of unauthorized access or theft. The Yellowbrick encryption feature protects data at rest on SSDs. Data is not encrypted when it is being processed in memory or moved over the network (such as during queries, loads, and other database administration operations).

Automatic encryption of data on disk is a function of a particular type of SSD known as a self-encrypting drive (SED). All data stored on all such disks in the system is encrypted automatically, using the AES256 encryption algorithm (Opal 2.0-compliant). Users do not (and cannot) choose which tables or columns to encrypt, or how to encrypt the data. If you are using encryption, you have to enable it on all of the drives on all of the blades. (When you add or replace a blade, you can enable encryption on the new blade specifically by using a combination of ybcli encryption and blade commands.)

Encryption setup involves creating a keystore on the primary manager node. The keystore, which resides on a manager node OS disk, contains and manages encryption keys for the drives (these keys are generated by a ybcli command when you enable encryption). A drive encryption key is a mechanism for accessing the encrypted data on the drive (enabling I/O to the drives). An attempt to steal data from an SED will fail because an encryption key is required to unlock the disk. SEDs cannot read their own data without the provision of the correct key.

When you set up the keystore, the system provides:
  • An authentication key for secure access to the keystore. Think of this key simply as a system-generated password. The ybcli user must provide this key in order to run any encryption commands.
  • One or more unlock keys for securely unlocking the keystore. An unlocked keystore is a prerequisite to running database operations on encrypted drives.
  • Generated encryption keys for each drive on the appliance.

You can "re-key" the unlock keys and the authentication key at any time by using the keystore rotate command. You can "re-key" the drives by using the encryption rotate command.

Encryption Setup and Enablement

To start using encryption on your appliance, you need to set up the keystore, generate keys, and unlock the keystore and drives. You can use ybcli commands to complete these steps. For details, see Setting Up Encryption.

Warning: Do not enable encryption on a Yellowbrick appliance if you do not have sufficient understanding of the process. You must be able to understand the ybcli command output for setting up and enabling encryption, and you must keep the generated encryption keys in a safe and secure location. If you lose your encryption keys, you will not be able to recover the data on the drives. You will have to work with Yellowbrick Customer Support to do an "emergency unlock" of the drives, which results in complete data loss.

Encryption Maintenance

Once the appliance is set up to use encryption, in general it does not require any management. Encryption is always on. However, there are a few scenarios in which you may have to intervene to unlock the keystore and the drives or complete other maintenance tasks. See also Managing Encrypted Drives.

The keystore is automatically locked whenever a failover occurs or the system is power-cycled, either intentionally or because of a power or hardware failure. The same requirement applies anytime that hardware is removed from the system.

A manager node failover does not trigger any change to the encryption setup, except that the keystore is moved to the other manager node. Encryption will continue to operate as normal during and after the failover operation.

You can enhance the security of the system by periodically "rotating" keys:
  • The encryption rotate command generates new keys on all of the drives.
  • The keystore rotate command generates new unlock keys and a new authentication key.

Rotating keys on the drives requires the database to be shut down. The keystore itself can have its keys rotated while the database is online.

It is rarely necessary to disable encryption, but you can do it with the encryption disable command, which requires a database shutdown. When you disable encryption, no data is removed from the drives.