Overview

In DWS, you can enable database encryption for a cluster to protect static data. After you enable encryption, data of the cluster and its snapshots is encrypted. Encryption is an optional and immutable setting that can be configured during cluster creation. To encrypt an unencrypted cluster (or in reverse), you need to export all data from the unencrypted cluster and import it to a new cluster that has enabled database encryption.

If encryption is required, enable it during cluster creation. Although encryption is an optional setting of DWS, you are advised to enable this setting for clusters that contain sensitive data.

Who Has the Rights to Encrypt DWS Databases?

• Security administrators (users having Security Administrator rights) can grant the KMS access rights to DWS for using disk encryption.
• When a common user who does not have the Security Administrator rights needs to use the disk encryption feature, the condition varies depending on whether the user is the first one ever in the current region or project to use this feature.
  • If the user is the first, the user must contact a user having the Security Administrator rights to grant the KMS access rights to DWS. Then, the user can use the disk encryption feature.
  • If the user is not the first, the user can use the disk encryption function directly.

From the perspective of a tenant, as long as the KMS access rights have been granted to DWS in a region, all users in the same region can directly use the disk encryption feature.

If there are multiple projects in the current region, the KMS access rights need to be granted to each project in this region.

Process of Using KMS to Encrypt DWS Databases

When you choose KMS to manage DWS keys, a three-layer key management structure is adopted, including the cluster master key (CMK), cluster encryption key (CEK), and database encryption key (DEK).

The CMK is used to encrypt the CEK and is stored in KMS.

The CEK is used to encrypt the DEK. The CEK plaintext is stored in the data warehouse cluster's memory, and the ciphertext is stored in DWS.

The DEK is used to encrypt database data. The DEK plaintext is stored in the data warehouse cluster's memory, and the ciphertext is stored in DWS.

The procedure of using the keys is as follows:

1. You choose a CMK.
2. DWS randomly generates the CEK and DEK plaintext.
3. KMS uses the CMK you choose to encrypt the CEK plaintext and imports the encrypted CEK ciphertext to DWS.
4. DWS uses the CEK plaintext to encrypt the DEK plaintext and saves the encrypted DEK ciphertext.
5. DWS transfers the DEK plaintext to the cluster and loads it to the cluster's memory.

When the cluster is restarted, it automatically requests the DEK plaintext from DWS through an API. DWS loads the CEK and DEK ciphertext to the cluster's memory, invokes KMS to decrypt the CEK using the CMK, loads the CEK to the memory, decrypts the DEK using the CEK plaintext, loads the DEK to the memory, and returns it to the cluster.

Using KMS to Encrypt DWS Databases (on the Console)

1. On the DWS management console, click Buy DWS Cluster.
2. Enable Encrypt DataStore.
   1. In the Advanced Settings area, click Custom. The Encrypt DataStore switch is displayed.
      Figure 1 Encrypting DataStore
      

      To enable Encrypt DataStore, switch to . When you enable database encryption for each project in each region for the first time, the system displays a Create Delegation dialog box. Click Yes to authorize DWS to access KMS. If you click No, the encryption function is not enabled. Select the created KMS key from the KMS Key Name drop-down list. If no professional edition key is available, you can log in to the KMS console to create one. For details, see Data Encryption Workshop User Guide.

      To disable Encrypt DataStore, switch to .

   2. Create a delegation.

      After Encrypt DataStore is enabled, if DWS is not authorized to access KMS, the Create Agency dialog box is displayed. In this case, click Yes to authorize it. After the authorization, DWS can obtain KMS keys to encrypt and decrypt disks.

      

      Before you use the data encryption function, KMS access rights need to be granted to DWS. If you have the right for granting, grant the KMS access rights to DWS directly. If you do not have the right, contact a user with the Security Administrator rights to grant the KMS access rights to DWS, then repeat the preceding operations.

   3. Set encryption.
      Enable Encrypt DataStore. If the authorization succeeded, the Encrypt Setting dialog box is displayed.

      Figure 2 Encryption settings
      

      Select a key from the KMS Key Name drop-down list.

3. Configure other parameters. For details about the parameters, see Creating a Cluster.