How does Tablestore encrypt data? - Tablestore - Alibaba Cloud Documentation Center

Tablestore provides the data encryption feature to encrypt data when the data is saved to disks. This ensures the security of table data. When you create a data table, you can configure encryption for the data table.

Background information

By default, data encryption is disabled for a data table when the data table is created. To enable data encryption for a data table, you must configure encryption-related parameters when you create the data table. Tablestore supports two encryption modes: encryption based on a Key Management Service (KMS) key and encryption based on Bring Your Own Key (BYOK). The keys for both modes must be obtained from KMS. You can choose a mode based on your business requirements.

KMS is a one-stop key management and data encryption platform, and a one-stop secrets management platform. KMS provides simple, reliable, secure, and compliant data encryption protection and secrets management capabilities. KMS helps reduce your costs for procurement, O&M, and R&D on cryptographic infrastructure, data encryption services, and secrets management services. This way, you can focus on the development of your business application. For more information, see What is KMS?

Encryption mode	How to use	Description
KMS key-based encryption	Tablestore console Tablestore SDK	Tablestore uses the default KMS-managed Customer Master Key (CMK) to encrypt data and automatically decrypts data when the data is being read. When you use KMS key-based encryption for the first time, Tablestore creates a KMS-managed CMK in the KMS console. You do not need to purchase a KMS instance.
BYOK-based encryption	Tablestore SDK	After you use BYOK materials to generate a custom key in the KMS console, Tablestore can encrypt data based on your custom key. In this mode, you can manage the encryption key that you use.

Scenarios

You can enable the data encryption feature in scenarios that have high security or compliance requirements.

Usage notes

The data encryption feature can be configured only when you create a data table.
After you enable the data encryption feature, the feature cannot be disabled. Proceed with caution.
The data encryption feature is available in the China (Hangzhou), China (Shanghai), China (Shenzhen), China (Beijing), China (Zhangjiakou), China (Hong Kong), Singapore, India (Mumbai), US (Silicon Valley), US (Virginia), UK (London), Japan (Tokyo), Australia (Sydney), German (Frankfurt), and Malaysia (Kuala Lumpur) regions.

Enable the data encryption feature

Enable the data encryption feature in the Tablestore console

If you create a data table in the Tablestore console, you can enable only KMS key-based encryption for the data table. The encryption key is generated and managed by Tablestore.

Log on to the Tablestore console.
In the top navigation bar, select a region.
On the Overview page, click the name of the instance that you want to manage or click Manage Instance in the Actions column of the instance.
On the Instance Details tab, click Create Table.
In the Create Table dialog box, configure the parameters.
For more information about the parameters, see the Step 3: Create a data table section of the "Use the Wide Column model in the Tablestore console" topic.
1. Configure the parameters such as Table Name, Primary Key, and Allow Updates.
2. Turn on Encryption and select CMK of KMS as Encryption Type.
Click OK.
After the data table is created, click the table name. On the Basic Information tab of the Manage Table page, verify that the value of the Encryption parameter is Yes-CMK of KMS. This indicates that the data encryption feature is enabled for the data table.

Enable the data encryption feature by using Tablestore SDK

If you create a data table by using Tablestore SDK, you can enable KMS key-based encryption or BYOK-based encryption for the data table. You can use Tablestore SDK for Java to configure encryption for a data table.

KMS key-based encryption

To enable KMS key-based encryption for a data table, you need to activate KMS. However, you do not need to create a KMS instance. After you create a data table, you can call the DescribeTable operation to query the encryption configuration of the table.

The following sample code provides an example on how to enable KMS key-based encryption for a data table when you create the data table. The primary key of the data table is pk and of the STRING type. For the values of the attribute columns, only the latest version of data is retained, and the data never expires.

private static void createTable(SyncClient client) {
    // Specify the name of the data table. 
    TableMeta tableMeta = new TableMeta("<TABLE_NAME>");
    // If you want to configure data encryption, configure encryption-related parameters in the CreateTable request. The following encryption modes are supported: KMS key-based encryption and BYOK-based encryption. In this example, KMS key-based encryption is enabled. 
    SSESpecification sseKms = new SSESpecification(true, SSEKeyType.SSE_KMS_SERVICE);
    // Add a primary key column to the data table. 
    tableMeta.addPrimaryKeyColumn(new PrimaryKeySchema("pk", PrimaryKeyType.STRING)); 
    // Specify the validity period of data. A value of -1 specifies that the data never expires. Unit: seconds. You must set the timeToLive parameter to -1 for a data table for which you want to create an index table. 
    int timeToLive = -1; 
    // Specify the maximum number of versions that can be retained for each column. A value of 1 specifies that only the latest version is retained for each column. You must set the maxVersions parameter to 1 for a data table for which you want to create an index table. 
    int maxVersions = 1; 
    TableOptions tableOptions = new TableOptions(timeToLive, maxVersions);
    CreateTableRequest request = new CreateTableRequest(tableMeta, tableOptions);
    // Specify the reserved read throughput and reserved write throughout. The values must be set to 0 for data tables in capacity instances and can be set to non-zero values for data tables in high-performance instances. 
    request.setReservedThroughput(new ReservedThroughput(new CapacityUnit(0, 0))); 
    request.setSseSpecification(sseKms);
    client.createTable(request);
}

BYOK-based encryption

Create a software-protected key in the KMS console. For more information, see the Software-protected key section of the "Getting started with Key Management" topic.
Create a Resource Access Management (RAM) role and grant permissions to the RAM role.
1. Create a RAM role. For more information, see Create a RAM role for a trusted Alibaba Cloud account.
  Set the role name to AliyunOTSAccessingKMS.
2. Create a custom policy that contains the KMS encryption and decryption permissions. For more information, see the Create a custom policy on the JSON tab section of the "Create a custom policy" topic.
  Set the policy name to otskmspolicytest. Sample policy:
```
{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}
```
3. Attach the otskmspolicytest policy to the AliyunOTSAccessingKMS role. For more information, see Grant permissions to a RAM role.
  After you complete the authorization, record the Alibaba Cloud Resource Name (ARN) of the RAM role. The ARN indicates the ID of the RAM role.
4. Modify the trust policy of the RAM role. For more information, see Edit the trust policy of a RAM role.
  Sample trust policy:
```
{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "ots.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}
```

Create a data table and configure encryption-related parameters.

Create a data table and enable BYOK-based encryption. After you create a data table, you can call the DescribeTable operation to query the encryption configuration of the table.

The following sample code provides an example on how to enable BYOK-based encryption for a data table when you create the data table. The primary key of the data table is pk and of the STRING type. For the values of the attribute columns, only the latest version of data is retained, and the data never expires.

private static void createTable(SyncClient client) {
    // Specify the name of the data table. 
    TableMeta tableMeta = new TableMeta("<TABLE_NAME>");
    // If you want to configure data encryption, configure encryption-related parameters in the CreateTable request. The following encryption modes are supported: KMS key-based encryption and BYOK-based encryption. 
    // Set the keyId parameter to the ID of the software-protected key that you created in the KMS console in Step 1. 
    String keyId="key-hzz65****************";
    // Set the roleArn parameter to the ARN of the RAM role that you recorded in Step 2. 
    String roleArn="acs:ram::****************:role/aliyunotsaccessingkms";
    // In this example, BYOK-based encryption is enabled. 
    // Set the keyId parameter to the ID of the custom key in KMS. Set the roleArn parameter to the ARN of the RAM role that you want to use. You need to create a RAM role and record the ARN of the RAM role. 
    SSESpecification sseByok = new SSESpecification(true, SSEKeyType.SSE_BYOK, keyId, roleArn);
    // Add a primary key column to the data table. 
    tableMeta.addPrimaryKeyColumn(new PrimaryKeySchema("pk", PrimaryKeyType.STRING)); 
    // Specify the validity period of data. A value of -1 specifies that the data never expires. Unit: seconds. You must set the timeToLive parameter to -1 for a data table for which you want to create an index table. 
    int timeToLive = -1; 
    // Specify the maximum number of versions that can be retained for each column. A value of 1 specifies that only the latest version is retained for each column. You must set the maxVersions parameter to 1 for a data table for which you want to create an index table. 
    int maxVersions = 1; 
    TableOptions tableOptions = new TableOptions(timeToLive, maxVersions);
    CreateTableRequest request = new CreateTableRequest(tableMeta, tableOptions);
    request.setReservedThroughput(new ReservedThroughput(new CapacityUnit(0, 0))); // Specify the reserved read throughput and reserved write throughout. The values must be set to 0 for data tables in capacity instances and can be set to non-zero values for data tables in high-performance instances. 
    request.setSseSpecification(sseByok);
    client.createTable(request);
}

Billing

You are charged the data encryption fee by KMS. For more information, see Billing.