Hello,
The ScyllaDB Cloud team is pleased to announce that database-level encryption is now generally available, and enabled by default for all new ScyllaDB Cloud clusters on Google Cloud, including BYOA deployments.
This release introduces encryption at the database engine layer, ensuring that data is protected well beyond the underlying cloud storage encryption.
Transparent to applications and drivers
No performance tuning or operational changes are required; the database-level encryption is transparent for the users.
What database-level encryption protects
All data is encrypted before being written to disk, including:
- SSTables
- Commit logs
- Hints
- CDC logs (if enabled)
- System tables that may contain user data
This ensures the data remains unreadable even in case:
- Raw disks are accessed
- Snapshots are copied
- Volumes are detached or exposed
Key management model
ScyllaDB Cloud uses envelope encryption with either Customer-managed keys (CMEK) via Google Cloud KMS
The keys can be managed by the customer or by ScyllaDB on the customer’s behalf.
This provides strict separation of duties between the key management and data management
Compliance alignment
This feature helps customers meet encryption-at-rest requirements, ensuring all PII data is unreadable without the key.
Many compliance standards require database-level encryption.
Including but not limited to:
- PCI DSS
- HIPAA
- ISO 27001
- SOC 2
Database-level encryption is now the standard security baseline in ScyllaDB Cloud, delivering stronger data protection, simplified compliance, and seamless operation for both hosted and BYOA environments.
You can read more about the encryption process here:
ScyllaDB Cloud Documentation
Getting Started with Database-Level Encryption