This topic describes how to encrypt data in Hologres. This topic also provides the mechanism, limits, and procedure of data encryption in Hologres.
Background information
Hologres allows you to use Key Management Service (KMS) to encrypt data for storage. This way, Hologres can provide static data protection to meet the requirements for enterprise governance and security compliance. After data encryption is enabled, query and write performance is affected due to the encryption and decryption operations. The performance loss is about 20% to 40%. The specific performance loss depends on the query characteristics.
Limits
Only Hologres V1.1 and later support data encryption for storage. If the version of your Hologres instance is earlier than V1.1, manually upgrade your Hologres instance in the Hologres console or join a Hologres DingTalk group to apply for an instance upgrade. For more information about how to manually upgrade a Hologres instance, see Instance upgrades. For more information about how to join a Hologres DingTalk group, see Obtain online support for Hologres.
If the version of your Hologres instance is earlier than V1.3.31, you must add backend configurations before you can use data encryption for storage. If the version of your Hologres instance is V1.3.31 or later, you do not need to add backend configurations. If you want to use data encryption for storage, we recommend that you upgrade your Hologres instance to V1.3.31 or later. For more information, see Instance upgrades.
Your operations such as disabling and deleting your customer master keys (CMKs) in KMS may affect data encryption or decryption in Hologres. Hologres caches historical configurations. Your operations in KMS take effect in a delayed manner within 24 hours.
You can encrypt data for storage only if data encryption for storage is enabled. Data in the tables that are created before this feature is enabled cannot be encrypted for storage.
After the data encryption feature is enabled, you can still create a Hologres foreign table in MaxCompute for data reads and writes.
After the data encryption feature is enabled, you can use the following SQL statement to disable data encryption for a database. The data of the tables that are created before this feature is disabled is still encrypted. Only data in the tables that are created after this feature is disabled cannot be encrypted for storage.
ALTER DATABASE <database_name> set hg_experimental_encryption_options='';If the KMS keys of a table are disabled or invalid after the data encryption feature is enabled, data cannot be read from or written into the table.
In Hologres V2.0 and later, you can configure a data encryption rule for each table. You can configure different KMS keys for different tables.
Data encryption mechanism
Hologres uses KMS-managed keys to encrypt and decrypt data based on the following data encryption mechanism:
Hologres uses keys in KMS to encrypt or decrypt data. The data encryption feature is enabled for a database, not a Hologres instance or specific tables. Before you use the data encryption feature, make sure that KMS is activated in the region in which your Hologres instance resides.
KMS generates and manages keys and ensures security of the keys.
Hologres supports the following encryption algorithms: AES-256, AES-CTR, RC4, and SM4.
In Hologres, you can only use the Bring Your Own Key (BYOK) feature to encrypt or decrypt data. The following types of materials can be used to create a CMK for encrypting data: key materials that are generated by KMS when you create a CMK, and the imported key materials.
You can create a CMK in KMS and use this CMK to encrypt data in a database in Hologres. For more information about how to create a CMK in KMS, see Create a CMK.
When you read or write data, Hologres calls KMS API operations to obtain key information. By default, the key information is retained for 24 hours. As a result, you are charged for using KMS when you use the data encryption feature. For more information about KMS billing, see Billing of KMS.
Procedure
Create a custom policy
Log on to the Resource Access Management (RAM) console. In the left-side navigation pane, choose Permissions > Policies. On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab. On the JSON tab, enter the following script in the code editor and set Name to AliyunHologresEncryptionDefaultRolePolicy.
{ "Version": "1", "Statement": [ { "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey", "kms:DescribeKey" ], "Resource": "acs:kms:*:*:*/*", "Effect": "Allow" } ] }Click OK. The custom policy is created.
Create a RAM role and grant permissions to the RAM role.
Log on to the RAM console. In the left-side navigation pane, choose Identities > Roles.
On the Roles page, click Create Role. In the Select Role Type step of the Create Role panel, select Alibaba Cloud Service for Select Trusted Entity.
Click Next. In the Configure Role step, set Role Type to Normal Service Role, enter AliyunHologresEncryptionDefaultRole in the RAM Role Name field, select Hologres from the Select Trusted Service drop-down list, and then click OK.
In the Finish step, click Add Permissions to RAM Role.
In the Add Permissions panel, set Authorized Scope to Alibaba Cloud Account. In the Select Policy section, click the Custom Policy tab and enter AliyunHologresEncryptionDefaultRolePolicy that you created in Step 1.
Click OK. The RAM role is created and permissions are granted to the RAM role.
After the RAM role is created, click the name of the role. On the Trust Policy Management tab, check whether the trust policy settings are the same as those in the following figure. If they are inconsistent, check whether the steps for creating the role are correct.
Create a CMK.
Log on to the KMS console.
In the top navigation bar, select the region in which you want to create a CMK.
In the left-side navigation pane, click Keys.
Click Create Key. In the Create Key dialog box, set the parameters that are described in the following table.
Parameter
Description
KMS Instance
The KMS instance for which you want to create a key.
Key Spec
The type of the CMK. Valid values:
Types of symmetric CMKs:
Aliyun_AES_256
Aliyun_SM4
Types of asymmetric CMKs:
RSA_2048
RSA_3072
EC_P256
EC_P256K
EC_SM2
NoteThe Aliyun_SM4 and EC_SM2 types are supported only for regions in the Chinese mainland in which managed hardware security modules (HSMs) are used.
The RSA_3072 type is supported only by a dedicated KMS instance.
Purpose
The purpose of the CMK. Valid values:
Encrypt/Decrypt: encrypts or decrypts data.
Sign/Verify: generates or verifies a digital signature.
Alias Name
The alias of the CMK, which helps identify the CMK. Aliases are optional for CMKs.
For more information, see Overview.
Protection Level
The protection level of the CMK. Valid values:
Software: The CMK is protected by using a software module.
Hsm: The CMK is managed in an HSM, and the HSM safeguards the CMK.
Description
The description of the CMK.
Rotation Period
The interval of automatic rotation. Valid values:
30 Days
90 Days
180 Days
365 Days
Disable: Automatic rotation is disabled.
Customize: You can specify a custom interval that ranges from 7 days to 730 days.
NoteYou can set this parameter only if you set the Key Spec parameter to Aliyun_AES_256 or Aliyun_SM4.
Enable data encryption for a database.
Log on to the database for which you want to enable data encryption. For more information about how to log on to a database, see Log on to a database.
On the Ad-hoc Query tab, select the instance to which the database belongs from the Instance drop-down list and select the database from the Database drop-down list. Enter the following statement in the SQL editor and click Run.
This SQL statement is used to enable data encryption for the database.
ALTER DATABASE <db_name> SET hg_experimental_encryption_options='<encryption_type>,<cmk_id>,<ram_role>,<uid>';The following table describes the parameters in the preceding syntax.
Parameter
Description
db_name
The name of the database for which you want to enable data encryption.
encryption_type
The encryption algorithm that you want to use to encrypt data. Valid values: AES256, AESCTR, RC4, and SM4.
cmk_id
The ID of the CMK. You can obtain the ID of the CMK on the CMK details page in the KMS console.
ram_role
The RAM role that is assigned to Hologres.
uid
The ID of the Alibaba Cloud account. For more information, see Account IDs.
The following sample statements show you how to enable data encryption for a database, create a table in the database and write data to the table, and then query the data of the table in Hologres.
Enable data encryption for a database.
ALTER DATABASE hoxxxx set hg_experimental_encryption_options= 'AES256,623c26ee-xxxx-xxxx-xxxx-91d323cc4855,AliyunHologresEncryptionDefaultRole,187xxxxxxxxxxxxx';Create a table in the database and write data to the table.
DROP TABLE IF EXISTS a; CREATE TABLE a(id int); INSERT INTO a values(1); SELECT hg_admin_command('flush'); -- This statement is used for testing only. This statement allows query results to be immediately displayed.Query the data of the table in Hologres.
SELECT * FROM a;The following figure shows the query result.
If you disable KMS and restart the Hologres instance, an error is reported when you query the data in Table a. If you do not restart the Hologres instance after KMS is disabled, you can query the data in Table a within 24 hours. After 24 hours, an error is reported when you query the data in Table a.
Configure data encryption for a table
In Hologres V2.0 and later, you can configure data encryption rules for a table after you enable data encryption for the database where the table resides. This way, you can use different KMS keys to encrypt data in different tables.
Configure data encryption rules for a table
Usage notes
If no data encryption rule is configured for a table, the system uses the data encryption rule specified by
hg_experimental_encryption_optionsto encrypt data in the table.You can configure data encryption rules for a table only when you create the table.
Syntax
CALL SET_TABLE_PROPERTY('<table_name>', 'encryption_options', '<encryption_type>,<cmk_id>,<ram_role>,<uid>');The following table describes the parameters in the preceding syntax.
Parameter
Description
table_name
The name of the table for which you want to configure data encryption rules.
encryption_type
The encryption algorithm that you want to use to encrypt data. Valid values: AES256, AESCTR, RC4, and SM4.
cmk_id
The ID of the CMK. You can obtain the ID of the CMK on the CMK details page in the KMS console.
ram_role
The RAM role that is assigned to Hologres.
uid
The ID of the Alibaba Cloud account. For more information, see Account IDs.
Example
Create a table named lineitem and configure the AES256 encryption algorithm and the CMK 623c26ee-xxxx-xxxx-xxxx-91d323cc4855 for the table.
BEGIN; CREATE TABLE LINEITEM ( L_ORDERKEY BIGINT NOT NULL, L_PARTKEY INT NOT NULL, L_SUPPKEY INT NOT NULL, L_LINENUMBER INT NOT NULL, L_QUANTITY DECIMAL(15,2) NOT NULL, L_EXTENDEDPRICE DECIMAL(15,2) NOT NULL, L_DISCOUNT DECIMAL(15,2) NOT NULL, L_TAX DECIMAL(15,2) NOT NULL, L_RETURNFLAG TEXT NOT NULL, L_LINESTATUS TEXT NOT NULL, L_SHIPDATE TIMESTAMPTZ NOT NULL, L_COMMITDATE TIMESTAMPTZ NOT NULL, L_RECEIPTDATE TIMESTAMPTZ NOT NULL, L_SHIPINSTRUCT TEXT NOT NULL, L_SHIPMODE TEXT NOT NULL, L_COMMENT TEXT NOT NULL, PRIMARY KEY (L_ORDERKEY,L_LINENUMBER) ); CALL SET_TABLE_PROPERTY('LINEITEM', 'encryption_options', 'AES256,623c26ee-xxxx-xxxx-xxxx-91d323cc4855,AliyunHologresEncryptionDefaultRole,153xxxxxxxxxxxxx'); COMMIT;
Query data encryption rules
In Hologres V2.0 and later, you can execute the following SQL statement to query the data encryption rules of a table:
SELECT
*
FROM
hologres.hg_table_properties
WHERE
property_key = 'encryption_options';The following figure shows a sample result.