Hello, In documentation in the chapter "Installing and initializing a cloud (Windows)" under "Install and configure the first cloud partner" section p6: "Encryption and Secure Feature Key Settings". I need more explanation on cloud encryption - does this mean that all databases will be encrypted by-default? Is this feature optional or required? If this feature is turned off - can I encrypt individual database? And what encryption algorithms is supported - AES, FIPS AES? Thank you!

asked 20 May '15, 15:00

s_tristan's gravatar image

s_tristan
71224
accept rate: 0%

edited 21 May '15, 13:55

Mark%20Culp's gravatar image

Mark Culp
23.2k9132273

Wild guesses:

  1. The paragraph continues with

The encryption key is restricted to 7-bit ASCII characters and is used to encrypt the cloud. By default, the cloud uses RSA encryption. To use FIPS encryption for the cloud, specify Use FIPS encryption. You cannot alter the FIPS encryption setting once your cloud is created.

RSA and FIPS-RSA are not used for database encryption but for transport-layer encryption, therefore I would think the according key may refer to the certificate used within the cloud.

  1. From the "What happens to my database when it is added to the cloud?" topic:

If the database is encrypted, the cloud also uses the database encryption key.

So I would conclude that each database should be encrypted as desired (i.e. with AES, AES256, AES_FIPS or AES256_FIPS) (or left unencrypted) before it is copied to the cloud.

(21 May '15, 10:25) Volker Barth

There are multiple keys that need to be provided during installation and cloud creation.

"encryption key for the cloud"

This key is used to encrypt the cloud meta data (ex. the names of the tenant databases in the cloud, the userids and other information for cloud users that you might create for administering the cloud, the names of the various hosts within the cloud etc.) This key is not used for encrypting tenant databases that get added to the cloud.

"secured feature access key"

Many features are locked down and controlled in the cloud. For example, suppose a user connects to his/her tenant database in the cloud and then tries to use xp_read_file() to access files on the cloud host. By default such file access features (as well as many others) are locked down for tenant databases in the cloud. A cloud administer can unlock such features for tenants if needed and the secured feature access key is used to do this feature unlocking.

"cloud certificate settings"

All communication between nodes in the cloud is secured. If you are providing your own certificate for this secured communication or if you have the cloud install create a certificate for you, then you have the option of providing the root password for that certificate.

In each of the above cases, the keys provided during installation/cloud instantiation are specifically for the entire cloud data and administration. None of the keys provided during installation/creation relate to tenant databases that will be added after the cloud is up and running. Tenant databases can have their own individual encryption keys and that database specific key is provided when the database is added to the cloud.

HTH Karim

permanent link

answered 21 May '15, 10:53

Karim%20Khamis's gravatar image

Karim Khamis
5.6k53870
accept rate: 40%

edited 21 May '15, 11:00

@Volker @Karim - big Thanks You! It is all clear now!

(21 May '15, 10:59) s_tristan
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×33
×2

question asked: 20 May '15, 15:00

question was seen: 1,236 times

last updated: 21 May '15, 13:55