cancel
Showing results for 
Search instead for 
Did you mean: 

Sql Anywhere On-demand edition cloud encryption

Former Member
2,864

Hello, In documentation in the chapter "Installing and initializing a cloud (Windows)" under "Install and configure the first cloud partner" section p6: "Encryption and Secure Feature Key Settings". I need more explanation on cloud encryption - does this mean that all databases will be encrypted by-default? Is this feature optional or required? If this feature is turned off - can I encrypt individual database? And what encryption algorithms is supported - AES, FIPS AES? Thank you!

VolkerBarth
Contributor
0 Kudos

Wild guesses:

  1. The paragraph continues with

The encryption key is restricted to 7-bit ASCII characters and is used to encrypt the cloud. By default, the cloud uses RSA encryption. To use FIPS encryption for the cloud, specify Use FIPS encryption. You cannot alter the FIPS encryption setting once your cloud is created.

RSA and FIPS-RSA are not used for database encryption but for transport-layer encryption, therefore I would think the according key may refer to the certificate used within the cloud.

  1. From the "What happens to my database when it is added to the cloud?" topic:

If the database is encrypted, the cloud also uses the database encryption key.

So I would conclude that each database should be encrypted as desired (i.e. with AES, AES256, AES_FIPS or AES256_FIPS) (or left unencrypted) before it is copied to the cloud.

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member

There are multiple keys that need to be provided during installation and cloud creation.

"encryption key for the cloud"

This key is used to encrypt the cloud meta data (ex. the names of the tenant databases in the cloud, the userids and other information for cloud users that you might create for administering the cloud, the names of the various hosts within the cloud etc.) This key is not used for encrypting tenant databases that get added to the cloud.

"secured feature access key"

Many features are locked down and controlled in the cloud. For example, suppose a user connects to his/her tenant database in the cloud and then tries to use xp_read_file() to access files on the cloud host. By default such file access features (as well as many others) are locked down for tenant databases in the cloud. A cloud administer can unlock such features for tenants if needed and the secured feature access key is used to do this feature unlocking.

"cloud certificate settings"

All communication between nodes in the cloud is secured. If you are providing your own certificate for this secured communication or if you have the cloud install create a certificate for you, then you have the option of providing the root password for that certificate.

In each of the above cases, the keys provided during installation/cloud instantiation are specifically for the entire cloud data and administration. None of the keys provided during installation/creation relate to tenant databases that will be added after the cloud is up and running. Tenant databases can have their own individual encryption keys and that database specific key is provided when the database is added to the cloud.

HTH Karim

Former Member
0 Kudos

@Volker @Karim - big Thanks You! It is all clear now!