diff --git a/modules/ROOT/pages/security/encryption.adoc b/modules/ROOT/pages/security/encryption.adoc index c71c59e12..be45eae8b 100644 --- a/modules/ROOT/pages/security/encryption.adoc +++ b/modules/ROOT/pages/security/encryption.adoc @@ -29,6 +29,10 @@ Externally, Customer Managed Keys are also known as Customer Managed Encryption When using a Customer Managed Key, all data at rest is encrypted with the key. Customer Managed Keys are supported for v4.x and latest version instances. +It is not possible to add a Customer Managed Key to an existing Neo4j Aura instance. +The encryption key must be selected during instance creation. +To change an encryption key, clone the Aura instance and select a different encryption key. + When using Customer Managed Keys, you give Aura permission to encrypt and decrypt using the key, but Aura has no access to the key’s material. Aura has no control over the availability of your externally managed key in the KMS. @@ -164,6 +168,14 @@ For more information about the Azure CLI, see link:https://learn.microsoft.com/e . In *Select members*, paste the *Neo4j CMK Application name* that is displayed in the Aura Console. . The *Neo4j CMK Application* should appear, select this application then *Review + Assign*. +=== Azure key rotation + +If you immediately disable the old key version after the Azure key is rotated, the connection status in Aura changes from "Ready" to "Pending". +This happens because Azure Storage checks for key updates once every 24 hours, as outlined in link:https://learn.microsoft.com/en-gb/azure/storage/common/customer-managed-keys-configure-new-account?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json&tabs=azure-portal#configure-encryption-for-automatic-updating-of-key-versions[Microsoft Azure documentation]. +If a key is rotated and the old version is disabled before this time passes, services relying on the key in Neo4j Aura lose access. +To avoid this wait at least 24 hours after rotating a key before disabling the old version to allow the change to take effect in Azure. +Disabling the old version too early results in Aura losing access to the key. + == GCP keys === Create a key ring