Hello, In documentation in the chapter "Installing and initializing a cloud (Windows)" under "Install and configure the first cloud partner" section p6: "Encryption and Secure Feature Key Settings". I need more explanation on cloud encryption - does this mean that all databases will be encrypted by-default? Is this feature optional or required? If this feature is turned off - can I encrypt individual database? And what encryption algorithms is supported - AES, FIPS AES? Thank you!
There are multiple keys that need to be provided during installation and cloud creation.
"encryption key for the cloud"
This key is used to encrypt the cloud meta data (ex. the names of the tenant databases in the cloud, the userids and other information for cloud users that you might create for administering the cloud, the names of the various hosts within the cloud etc.) This key is not used for encrypting tenant databases that get added to the cloud.
"secured feature access key"
Many features are locked down and controlled in the cloud. For example, suppose a user connects to his/her tenant database in the cloud and then tries to use xp_read_file() to access files on the cloud host. By default such file access features (as well as many others) are locked down for tenant databases in the cloud. A cloud administer can unlock such features for tenants if needed and the secured feature access key is used to do this feature unlocking.
"cloud certificate settings"
All communication between nodes in the cloud is secured. If you are providing your own certificate for this secured communication or if you have the cloud install create a certificate for you, then you have the option of providing the root password for that certificate.
In each of the above cases, the keys provided during installation/cloud instantiation are specifically for the entire cloud data and administration. None of the keys provided during installation/creation relate to tenant databases that will be added after the cloud is up and running. Tenant databases can have their own individual encryption keys and that database specific key is provided when the database is added to the cloud.