Guides → Data Encryption
This content applies to On-Premises installations only.
Introduction
Incorta provides multiple methods to maintain data security, one of which is data encryption at the physical column level. You can use the Table Editor to set the Encrypt property for valid columns. This property is available only for non-key columns in physical schema tables and materialized views. Additionally, a column in an alias inherits this property from the source column.
Before 2024.7.x, Incorta used 128-bit Advanced Encryption Standard (AES) encryption keys to encrypt and decrypt column data. Starting 2024.7.x, Incorta has provided multiple enhancements to data encryption in the system.
Data encryption starting 2024.7.x
Incorta has enhanced data encryption and security by introducing two new features: 256-bit encryption keys and the integration with Azure Key Vault.
256-bit data encryption keys
A new 256-bit data encryption key is now generated per cluster during cluster creation or upgrade. Incorta uses the new key to encrypt and decrypt column data. After upgrading to 2024.7.x or later, Incorta will continue to use the 128-bit encryption key to decrypt or encrypt existing encrypted data. To use the new 256-bit encryption, fully load the related physical schema objects.
Alternatively, you can provide Incorta with your own 256-bit encryption key to use for encrypting and decrypting column data.
When migrating data encrypted with the new 256-bit encryption from one environment to another, you must also import the encryption key from the source cluster to the destination. Additionally, both environments must have the same configurations for the Key Management Service.
For On-Premises installations, the Cluster Management Console (CMC) administrator can export and import encryption keys as required.
Export encryption keys
- Sign in to the CMC.
- Select Clusters, and then select the source cluster.
- On the Details tab, under Data Encryption, for Data Encryption Key, select Export. The encryption key is downloaded to the Downloads folder.
Import encryption keys
- Sign in to the CMC.
- Select Clusters, and then select the destination cluster.
- On the Details tab, under Data Encryption, for Data Encryption Key, select Import.
- In the Import key dialog, drag the encryption key that you have downloaded or select Click or drag a file to this area to upload and locate the encryption key. Select OK.
Bring your own key
Instead of using the auto-generated key, you can provide Incorta with your own 256-bit data encryption key to use for encrypting and decrypting column data.
- Sign in to the CMC.
- Select Clusters, and then select the cluster you want.
- On the Details tab, under Data Encryption, for Data Encryption Key, select BYOK.
- In the Import key dialog, drag your encryption key or select Click or drag a file to this area to upload and locate the encryption key. Select OK. The file should be of a
.key
format.
Integration with Azure Key Vault
To provide a higher level of data security, Incorta now supports the integration with the Azure Key Vault service to provide and maintain a master key to encrypt the cluster’s data encryption key. Incorta will automatically decrypt and re-encrypt the cluster’s data encryption key whenever it detects a rotation of the master key.
Here are the steps to enable and configure the integration with Azure Key Vault:
- Sign in to the CMC.
- Select Clusters, and then select the cluster you want.
- On the Details tab, under Data Encryption, for Key Management Service, select Integrate.
- In the Integrate with Microsoft Azure Key Vault dialog, enter the following:
- Key Vault Url: The URI of the key vault you want Incorta to integrate with
- Key Name: The name of the master key (the object) you have created to be used by Incorta
- Client ID: The ID of the registered application (client) that Incorta will connect to
- Client Secret: The secret created within the application
- Tenant ID: That is, Directory ID, the Azure Active Directory tenant ID used for authenticating requests to the key vault
- Select Submit.
For details, see Prepare for the integration.
- If the Key Management Service (KMS) you integrate with is unavailable, Incorta may encounter failures when reading or writing encrypted columns.
- If you need to disable this integration after enabling it, the KMS service and the master key must be available.
- If you apply a key rotation policy in Azure Key Vault, you must configure it to reserve the old master key for a specific time for Incorta to have enough time to rewrap the data encryption key.
- Before you reset your master key or cancel your Azure subscription, you must disable the integration from the CMC first. Otherwise, you cannot access your encrypted data.
- You must disable the KVM integration on the source and destination clusters before exporting or importing a data encryption key.
Additional information
Prepare for the integration
Here are the high-level steps to prepare for the integration with Azure Key Vault:
- Create a Key Vault resource in your subscription. For details, refer to Create a key vault using the Azure portal. The details of the key vault resource contain the Vault URI and the Directory (tenant) ID.
- Create a key object (the master key that Incorta will use) within the Key Vault resource. Refer to Add a key to Key Vault . The key name is required when setting the integration in the CMC.
- Add a new app registration. Refer to Register an application with the Microsoft identity platform. The app details include the Application (client) ID.
- Grant the registered application access to the key object you have created by assigning the Key Vault Crypto User role to the registered application. Refer to Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control.
- Create a client secret. Refer to Add a client secret. Make sure to copy and save the secret value that will appear once you create the secret as it will not be displayed again.