Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add CMEK info about existing instances and Azure keys #606

Merged
merged 5 commits into from
Feb 17, 2025
Merged

add CMEK info about existing instances and Azure keys #606

Changes from 4 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
d580926
add CMEK info about existing instances and Azure keys
fiquick Feb 17, 2025
8fb72fb
Update modules/ROOT/pages/security/encryption.adoc
fiquick Feb 17, 2025
387666c
Update modules/ROOT/pages/security/encryption.adoc
fiquick Feb 17, 2025
6ae411b
edits
fiquick Feb 17, 2025
1f9a823
Update modules/ROOT/pages/security/encryption.adoc
fiquick Feb 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions modules/ROOT/pages/security/encryption.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,10 @@ Externally, Customer Managed Keys are also known as Customer Managed Encryption
When using a Customer Managed Key, all data at rest is encrypted with the key.
Customer Managed Keys are supported for v4.x and latest version instances.

It is not possible to add a Customer Managed Key to an existing Neo4j Aura instance.
The encryption key must be selected during instance creation.
To change an encryption key, clone the Aura instance and select a different encryption key.

When using Customer Managed Keys, you give Aura permission to encrypt and decrypt using the key, but Aura has no access to the key’s material.
Aura has no control over the availability of your externally managed key in the KMS.

Expand Down Expand Up @@ -164,6 +168,14 @@ For more information about the Azure CLI, see link:https://learn.microsoft.com/e
. In *Select members*, paste the *Neo4j CMK Application name* that is displayed in the Aura Console.
. The *Neo4j CMK Application* should appear, select this application then *Review + Assign*.

=== Azure key rotation

If you rotate an Azure key and immediately disable the old one, the connection status in Aura changes from "Ready" to "Pending".
This happens because Azure Storage checks for key updates once every 24 hours, as outlined in link:https://learn.microsoft.com/en-gb/azure/storage/common/customer-managed-keys-configure-new-account?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json&tabs=azure-portal#configure-encryption-for-automatic-updating-of-key-versions[Microsoft Azure documentation].
If a key is rotated and the old version is disabled before this time passes, services relying on the key in Neo4j Aura lose access.
To avoid this wait at least 24 hours after rotating a key before disabling the old version to allow the change to take effect in Azure.
Disabling the old version too early results in Aura losing access to the key.

== GCP keys

=== Create a key ring
Expand Down