Encryption keys

The Encryption Keys page in Cube Cloud allows to manage data-at-rest encryption in Cube Store.

Navigate to Settings → Encryption Keys in your Cube Cloud deployment to provide, rotate, or drop your own customer-managed keys (CMK) for Cube Store.

Customer-managed keys for Cube Store

On the Encryption Keys page, you can see all previously provided keys:

Add a key

To add an encryption key, click Create to open a modal window. Provide the key name and the key value: an 256-bit AES encryption key, encoded in standard Base64 (opens in a new tab) in its canonical representation.

Once the first encryption key is added, Cube Store will assume that data-at-rest encryption is enabled. After that, querying unencrypted pre-aggregation partitions will yield the following error: Invalid Parquet file in encrypted mode. File (or at least the Parquet footer) is not encrypted.

After the refresh worker builds or rebuilds pre-aggregation partitions with respect to their refresh strategy or after they are built manually, their data will be encrypted.

For encryption, the most recently added encryption key is used. For decryption, all previously provided keys can be used, if there are still any pre-aggregation partitions encrypted with those keys.

Rotate a key

To rotate an encryption key, you have to add a new key and then rebuild pre-aggregation partitions using this key, either by the means of the refresh worker, or manually.

You can check which encryption key is used by any pre-aggregation partition by querying system.tables in Cube Store via SQL Runner:

Drop a key

To drop an encryption key, click Delete next to it.