GridGain Developers Hub

Transparent Data Encryption for Managed Clusters

Alex Levitski
Technical Writer

In GridGain Nebula, your data is always encrypted:

  • In transit with the use of SSL/TLS

  • At rest at the volume level (the EBS volumes on AWS are encrypted)

However, for real-life, industry standard-compliant cluster operations, we recommend that you encrypt your data at the database level.

GridGain Nebula supports transparent database-level encryption that follows the envelope strategy. The key-encrypting key (a.k.a. the "main" key) is a Customer Managed Key (CMK). You fully control the CMK; GridGain Nebula cannot access this key’s cryptographic data. The CMK GridGain Nebula uses on AWS is provided by the AWS Key Management Service (KMS).

The following diagram depicts the transparent encryption solution.

encryption diagram

This tutorial walks you through the following procedures:

Create a Transparently Encrypted Cluster

By default, the transparent data encryption is disabled. When you click Edit in the Data Encryption section of the Create Managed Cluster dialog, the Edit Data Encryption dialog appears as shown below (see Creating a Managed Cluster):

encryption 1

To define transparent data encryption for your managed cluster, proceed as follows.

Create a Customer Managed Key (CMK)

Customer Managed Key (CMK) is a key you (as a user) create in your AWS account.

To create a CMK under your AWS account:

  1. In the AWS CLI, run the following command:

    aws kms create-key \
    --tags TagKey=Purpose,TagValue=GridGain \
    --description "GridGain CMK" \
    --key-spec SYMMETRIC_DEFAULT \
    --key-usage ENCRYPT_DECRYPT \
    --multi-region \
    --region us-west-2

  2. Save the key ARN that appears in the command output.

Create a Role and an Assume Policy

In this section, you create:

  • A role for GridGain Nebula in your AWS account

  • A policy that enables the GridGain AWS account to assume the role you have created

Proceed as follows:

  1. In the GridGain Nebula UI, in the Edit Data Encryption dialog, select Enabled.

    encryption 2

  2. Create a policy that will enable the GridGain account to assume the created role:

    1. Copy the JSON content that appears in the top field.

    2. On your machine, create the assume.json file and paste the copied content into that file.

    3. Upload the assume.json file to your AWS account using the Upload File option from the Actions pulldown menu in the AWS CLI window.

    4. Create the gridgain-kms-role AWS IAM role for accessing CMK (describe, encrypt, and decrypt) by running the following command in the AWS CLI:

      aws iam create-role \
 --role-name gridgain-kms-role \
 --assume-role-policy-document file://assume.json

    5. Save the role ARN that appears in the command output.

  3. In the Edit Data Encryption dialog, paste the role ARN into the IAM Role ARN field. Click Continue.

  4. Paste the key ARN into the Customer Managed Key ARN field that opens.

    encryption 3

  5. Click Continue.

    encryption 4

Update the Role with an Access Policy

In this section, you add to the GridGain role (which you have created under your AWS account) a policy that enables the GridGain AWS account to access the CMK for the managed cluster.

Proceed as follows:

  1. Copy the JSON content that appears in field 1 under the Update Policy section.

  2. On your machine, create the access.json file and paste the copied content into that file.

  3. Upload the access.json file to your AWS account using the Upload File option from the Actions pulldown menu in the AWS CLI window.

  4. Update the previously created gridgain-kms-role AWS IAM role by running the following command in the AWS CLI:

    aws iam put-role-policy \
 --role-name gridgain-kms-role \
 --policy-name gridgain-access-kms-role-policy \
 --policy-document file://access.json

  5. In the Edit Data Encryption dialog, click Save.

Change Encryption Definitions

Normally, AWS rotates CMK by itself. When that happens, GridGain Nebula automatically starts using the new CMK. However, in certain situations, you may want to change your CMK manually; for example, if the old one becomes compromised.

After manually rotating the CMK or creating a new CMK in in your AWS account, you need to update the encryption definitions (the CMK and, optionally, the Access policy) in your cluster. You can initiate this update in the Cluster Management screen or the My Cluster screen.

To change the encryption definitions:

  1. From the cluster’s context menu, select Data Encryption.

  2. In the Data Encryption dialog that opens, click Change CMK Key.

    change encryption 1

  3. In the Edit Data Encryption dialog that opens, replace the current Customer Manage Key ARN with the new KMS ARN value, then click Continue.

    change encryption 2

  4. Optionally, follow instructions in Step 2 to update the access policy, then click Save.

    change encryption 3

Learn More

Now that you have created a managed cluster with KMS encryption, you can connect to this cluster via a thin client.

© 2024 GridGain Systems, Inc. All Rights Reserved. Privacy Policy | Legal Notices. GridGain® is a registered trademark of GridGain Systems, Inc.
Apache, Apache Ignite, the Apache feather and the Apache Ignite logo are either registered trademarks or trademarks of The Apache Software Foundation.

Last updated on Apr 10, 2024