From 1bf86021e330165ca8952d337a681c7d00b05286 Mon Sep 17 00:00:00 2001 From: Leticia Webb <110556185+leticiawebb@users.noreply.github.com> Date: Thu, 6 Feb 2025 16:26:34 -0700 Subject: [PATCH 1/2] Add CMEK instructions for GCP --- docs/en/cloud/security/cmek.md | 36 ++++++++++++++++++++++++---------- 1 file changed, 26 insertions(+), 10 deletions(-) diff --git a/docs/en/cloud/security/cmek.md b/docs/en/cloud/security/cmek.md index 0d20811892d..9508bd4f641 100644 --- a/docs/en/cloud/security/cmek.md +++ b/docs/en/cloud/security/cmek.md @@ -12,7 +12,7 @@ import EnterprisePlanFeatureBadge from '@theme/badges/EnterprisePlanFeatureBadge Data at rest is encrypted by default using cloud provider-managed AES 256 keys. Customers may enable Transparent Data Encryption (TDE) to provide an additional layer of protection for service data. Additionally, customers may supply their own key to implement Customer Managed Encryption Keys (CMEK) for their service. -Enhanced encryption is currently available in AWS services. Other cloud providers are coming soon. +Enhanced encryption is currently available in AWS and GCP services. Azure is coming soon. ## Transparent Data Encryption (TDE) @@ -30,15 +30,17 @@ TDE must be enabled on service creation. Existing services cannot be encrypted a Deleting a KMS key used to encrypt a ClickHouse Cloud service will cause your ClickHouse service to be stopped and its data will be unretrievable, along with existing backups. ::: -Once a service is encrypted with TDE, customers may update the key to enable CMEK. +Once a service is encrypted with TDE, customers may update the key to enable CMEK. The service will automatically restart after updating the Transparent Data Encryption setting. During this process, the old KMS key decrypts the data encrypting key (DEK), and the new KMS key re-encrypts the DEK. This ensures that the service on restart will use the new KMS key for encryption operations moving forward. This process may take several minutes. + +### CMEK with AWS KMS 1. In ClickHouse Cloud, select the encrypted service 2. Click on the Settings on the left 3. At the bottom of the screen, expand the Network security information -4. Copy the Encryption role ID - you will need this in a future step -5. In AWS, [create a KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html) +4. Copy the Encryption role ID (AWS) or Encryption Service Account (GCP) - you will need this in a future step +5. [Create a KMS key for AWS](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html) 6. Click the key -7. Edit the Key policy as follows +7. Update the AWS key policy as follows: ```json { @@ -57,12 +59,26 @@ Once a service is encrypted with TDE, customers may update the key to enable CME } ``` -9. Save the Key policy -10. Copy the Key ARN -11. Return to ClickHouse Cloud and paste the Key ARN -12. Save the change +10. Save the Key policy +11. Copy the Key ARN +12. Return to ClickHouse Cloud and paste the Key ARN in the Transparent Data Encryption section of the Service Settings +13. Save the change + +### CMEK with GCP KMS -The service will automatically restart. During this process, the old KMS key decrypts the data encrypting key (DEK), and the new KMS key re-encrypts the DEK. This ensures that the service on restart will use the new KMS key for encryption operations moving forward. This process may take several minutes. +1. In ClickHouse Cloud, select the encrypted service +2. Click on the Settings on the left +3. At the bottom of the screen, expand the Network security information +4. Copy the Encryption Service Account (GCP) - you will need this in a future step +5. [Create a KMS key for GCP](https://cloud.google.com/kms/docs/create-key) +6. Click the key +7. Grant the following permissions to the GCP Encryption Service Account copied in step 4 above. + - Cloud KMS CryptoKey Encrypter/Decrypter + - Cloud KMS Viewer +10. Save the Key permission +11. Copy the Key Resource Path +12. Return to ClickHouse Cloud and paste the Key Resource Path in the Transparent Data Encryption section of the Service Settings +13. Save the change ## Backup and Restore From 5eb587113279f89b4260a7d9fbf440d0681d94d1 Mon Sep 17 00:00:00 2001 From: Vinay Suryadevara <126499167+vinay92-ch@users.noreply.github.com> Date: Wed, 12 Feb 2025 08:05:31 -0800 Subject: [PATCH 2/2] Update aspell-dict.txt --- scripts/aspell-ignore/en/aspell-dict.txt | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/aspell-ignore/en/aspell-dict.txt b/scripts/aspell-ignore/en/aspell-dict.txt index ef8f66dcd42..9d5502f2241 100644 --- a/scripts/aspell-ignore/en/aspell-dict.txt +++ b/scripts/aspell-ignore/en/aspell-dict.txt @@ -222,6 +222,7 @@ Cramer's Criteo Crotty Crowdsourced +CryptoKey Ctrl CurrentMetrics CustomSeparated @@ -241,6 +242,7 @@ DDLWorkerThreads DDLWorkerThreadsActive DDLs DECRYPT +Decrypter DELETEs DESC DIEs @@ -323,6 +325,7 @@ Embeddable EmbeddedRocksDB Embeddings Encodings +Encrypter Enum Enums Eoan