Encryption keys

Overview

To create an encrypted cluster, symmetric keys must be created in the KMS of the cloud provider and region in which you want to create your database cluster.

Cloud-specific instructions are available to allow Crunchy Bridge to create and set up access control to the keys. Access controls are following the principles of least privilege, and ensure that Crunchy Bridge can never access key material.

Once a cloud encryption key is obtained, a Crunchy Bridge Encryption Key can be created using the key identifier of your KMS provider. Then you can use it to create a new encrypted cluster.

Steps

The steps below offer a general outline for setting up customer-managed encryption keys. While the examples show how the set up works with AWS, the steps are the same on the Crunchy side for all the cloud providers we support.

Create your key

The first step is to create your encryption key on the side of your cloud provider. If your cloud provider is AWS, you'll log into the AWS web console, navigate to Key Management Service and click Create Key.

Choose Symmetric Key for they key type and click Next.

Grant Crunchy Data usage permission

In order for Crunchy Bridge to use the key, you will have to grant usage permission for the key to the Crunchy Data's AWS account. When defining key usage permissions, scroll to the bottom to Add another AWS account. Enter the Crunchy Data AWS Account ID in the box and press Next.

Ensure your key policy is updated to allow appropriate permissions to Crunchy Data resources.

{
  "Sid": "Allow Crunchy Data to use KMS keys",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::454431949291:user/crunchy-owl-prod"
  },
  "Action": [
    "kms:Encrypt",
    "kms:Decrypt",
    "kms:ReEncrypt*",
    "kms:GenerateDataKey*",
    "kms:DescribeKey"
  ],
  "Resource": "*"
},
{
  "Sid": "Allow Crunchy Data to create grants",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::454431949291:user/crunchy-owl-prod"
  },
  "Action": "kms:CreateGrant",
  "Resource": "*",
  "Condition": {
    "Bool": {
      "kms:GrantIsForAWSResource": "true"
    }
  }
}

Set up Bridge Team Encryption Key

Navigate to your Crunchy Bridge Team in the Bridge dashboard. Click the cog icon to view the Team settings, select Encryption Keys in the sidebar, and click Add Key to get started. This is where you'll provide the ARN resource identifier, provider, and region details for your key. You can also add notes in the description field.

That's it! Clusters created for that Team will now use the encryption key you manage to encrypt cluster data and backups.

Limitations

The encryption key attached to a cluster cannot be changed once created, but key rotation on the cloud provider side is still possible (see below).

All replicas and forks of an encrypted cluster will use the same encryption keys as the primary, and must be using the same cloud provider in the same region as the key.

Encryption keys may also prevent a cluster from benefiting from new hardware or configurations that could improve performance, based on cloud provider limitations.

Key rotation and lifecycle

We recommend using the cloud provider automated key process. As Crunchy Bridge Encryption Keys can only use them to encrypt and decrypt, we have no control over their lifecycle.

Deleting a key

If the key is deleted on the cloud provider side, Crunchy Bridge will lose the capacity to access data.

Warning: Data loss is possible if key deletion is not intended. Crunchy Bridge has no way to recover the data if the key with which it is encrypted is deleted.