Customer-Managed Encryption Keys (CMEK) Frequently Asked Questions (FAQ)

This article provides answers to common questions about Customer-Managed Encryption Keys (CMEK).

If we don’t enable CMEK for our CockroachDB Dedicated clusters, are those encrypted in some manner by default?

Yes, the CockroachDB Dedicated clusters are encrypted by default by the way of encrypting the cloud disks used to store the data, using cloud provider managed keys.

Is the data encryption key rotated at some set duration or periodically? If yes, is there a way to customize the duration?

Yes, the data encryption key is rotated automatically once every month. It’s not possible to customize that duration. The new key is used to encrypt new writes, while the old data is still encrypted with the old data keys unless it’s rewritten.

Can we rotate the CMEK for a cluster after a certain time or at some periodic interval?

You can rotate a CMEK key for a CockroachDB Dedicated cluster either by creating a new version of the existing CMEK key or by creating a new CMEK key. At a high level:

To begin using a new version of an existing CMEK key:

1. In your KMS platform, you can either configure automatic rotation for the CMEK key, or you can perform a manual rotation.
2. CockroachDB Cloud does not automatically re-encrypt the store key using the new CMEK key version. For each region you want to update, you must also perform a rotation using the CockroachDB Cloud API without modifying the CMEK key URI. CockroachDB Cloud re-encrypts the store key using the new CMEK key version.

To begin using an entirely new CMEK key:

1. Within your KMS platform, you create a new CMEK key.
2. Next, you perform a rotation using the CockroachDB Cloud API and provide the new CMEK key URI.

To learn more about rotating a CMEK key using the CockroachDB Cloud API, visit Rotate a CMEK key.

If we enable CMEK for a cluster that has been in use for some time, is the existing data encrypted at that time?

CockroachDB Dedicated does not force encryption of previously-written data but instead relies on normal storage engine churn for desired encryption. That means the new key is used to encrypt newly-written data, while previously-written data remains unencrypted unless it’s rewritten.

Are CockroachDB Dedicated managed backups also encrypted using the CMEK?

Yes, the managed backups stored in CockroachDB Cloud infrastructure are also encrypted using the CMEK, by utilizing CoackroachDB’s backup encryption capability. Internally, a backup data key is wrapped by the CMEK, and then the backup data key is used for encrypting the backup.

See: Take and Restore Encrypted Backups

As part of managed backup encryption, is the same backup data key used to encrypt all backups for a cluster?

A different backup data key is used for each full cluster backup, while the same backup data key is used for incremental backups on top of a full cluster backup. In all cases, the backup data key is encrypted with CMEK for a CMEK-enabled cluster.

How are the store key (Key Encryption Key) and the data key (Data Encryption Key) stored on the cluster?

The store key is only stored as encrypted by the CMEK, while it’s available as decrypted only in memory for the CockroachDB process to use. The data key is stored as encrypted by the store key, along with the data files on cluster disks.

Can we use CockroachDB Cloud Console to enable or revoke CMEK for a cluster?

Not yet. User Interface experience for CMEK would be available at a later time. At this point, the capability is API-only.

Can we enable CMEK when we add a new region to a cluster?

Not yet. Ability to enable CMEK for the new region addition would be available at a later time.

Is it possible to self-serve restore a CMEK-enabled cluster in case of a cluster failure or disaster scenario?

Not yet. To restore a failed CMEK-enabled cluster, please create a support ticket for Cockroach Labs providing your cluster ID and organization ID.