adding CMEK info (#327)

Co-authored-by: Nicola Vitucci <[email protected]> Co-authored-by: Jessica Wright <[email protected]>
neo4j · Apr 18, 2024 · ca83783 · ca83783
1 parent 682ee7c
commit ca83783
Showing 1 changed file with 87 additions and 0 deletions.
diff --git a/modules/ROOT/pages/platform/security.adoc b/modules/ROOT/pages/platform/security.adoc
@@ -255,3 +255,90 @@ TLS v1.2:
 * `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (RFC5289)`
 * `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (RFC7905)`
 * `TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (RFC5288)`
+
+== Customer Managed Keys
+
+label:AuraDB-Enterprise[]
+label:AuraDS-Enterprise[]
+
+[CAUTION]
+====
+This feature has been released as a public GA for AuraDB Enterprise and AuraDS Enterprise for AWS managed keys. 
+GCP’s Cloud Key Management and Azure’s Key Vault are coming soon.
+====
+
+For more control over key operations than the standard Neo4j encryption, use a Customer Managed Key (CMK).
+Create and manage keys using a supported cloud key management service (KMS). Externally, Customer Managed Keys are also known as Customer Managed Encryption Keys (CMEK).
+
+When using a Customer Managed Key, all data at rest is encrypted with the key. 
+You can encrypt new Aura v5 instances using Customer Managed Keys. 
+The feature is not supported for existing instances or v4.x instances.
+
+When using Customer Managed Keys, you give Aura permission to encrypt and decrypt using the key, but Aura has no access to the key’s material. 
+Aura has no control over the availability of your externally managed key in the KMS. 
+If you lose keys that are managed outside of Aura, Aura can’t recover your data.
+
+[WARNING]
+====
+The loss of a Customer Managed Key, through deletion, disabling, or expiration, renders all data encrypted with that key unrecoverable.
+Neo4j cannot administer database instances when keys are disabled, deleted, or permissions revoked. 
+====
+
+There is a limit of one key for AuraDB and one key for AuraDS per region.
+Depending on the KMS, there may be a delay between disabling a key, and when it can no longer be used to encrypt and decrypt data.
+
+=== AWS key
+
+* Create a key in the AWS KMS ensuring the region matches your Aura database instance. 
+Copy the generated ARN. 
+You need it in the next step. 
+* Go to *security settings* in the Aura Console, create a *Customer Managed Key* and copy the JSON code that is generated in the Aura Console when you add a key.
+* In the AWS KMS, edit the key policy to include the JSON code. 
+
+==== Editing the key policy
+
+After you have initially created a key in the AWS KMS, you can edit the key policy.
+In the AWS key policy, "Statement" is an array that consists of one or more objects. 
+Each object in the array describes a security identifier (SID).
+The objects in the AWS code array are comma-separated, e.g. `{[{'a'}, {'b'}, {'c'}]}`
+
+Add a comma after the curly brace in the final SID, and then paste the JSON code that was generated in the Aura Console, e.g. `{[{'a'}, {'b'}, {'c'}, _add code here_ ]}`
+
+=== Regionality
+
+When creating a Customer Managed Key in the AWS KMS, you can create a single-region key in a single AWS region, or create a multi-region key that you can replicate into multiple AWS regions.
+Aura only supports AWS Customer Managed Keys that reside in the same region as the instance. 
+
+[CAUTION]
+====
+In Aura, you can use AWS single-region keys, multi-region keys or replica keys as long as the key resides in the same region as the Aura instace.
+====
+
+=== Key rotation
+
+In your KMS platform, you can either configure automatic rotation for the Customer Managed Key, or you can perform a manual rotation.
+
+Although automatic rotation is not enforced by Aura, it is best practice to rotate keys regularly. 
+Manual key rotation is **not** recommended.
+
+==== AWS automatic key rotation
+
+Aura supports automatic key rotation via the AWS KMS. 
+To enable automatic key rotation in the AWS KMS, tick the *Key rotation* checkbox after initially creating a key, to automatically rotate the key once a year.
+
+=== Deleting a key
+
+In the Aura Console, if a Customer Managed Key is being used to encrypt one or more Aura instances, it cannot be deleted.
+To delete a Customer Managed Key in the Aura Console, first delete the Aura database instances encrypted with the key, then delete the Customer Managed Key.
+
+=== Cloning an instance protected by CMK
+To clone an instance protected by a Customer Managed Key, the key must be valid and available to Aura. 
+The cloned instance, by default, uses the available Customer Managed Key for that region and product.
+
+You can override this behavior by selecting the Neo4j Managed Key when cloning the database. 
+If there is no valid CMK for the destination region and product, the Neo4j Managed Key is used to encrypt the cloned instance.
+
+=== Importing an existing database
+
+To upload a database greater than 4GB to instances encrypted with Customer Managed Keys in Neo4j 5, use `neo4j-admin database upload`. 
+The `neo4j-admin push-to-cloud` command in Neo4j v4.4 and earlier is not supported for instances encrypted with Customer Managed Keys.