[RELEASE] ScyllaDB Enterprise 2023.1.1

The ScyllaDB team announces ScyllaDB Enterprise 2023.1.1, a bug-fix production-ready ScyllaDB Enterprise patch release for ScyllaDB Enterprise 2023.1 LTS Release..

This patch release enables support of KMS integration for Encryption at Rest, allows ScyllaDB to work with a FIPS-enabled Ubuntu, and fixes multiple minor bugs.

You are encouraged to upgrade to it in coordination with the ScyllaDB Support team.

Related Links

Amazon KMS Integration for Encryption at Rest

Scylla Enterprise has supported Encryption at Rest (EaR) for a long time. So far, one can store the keys for EaR locally, in an encrypted table, or an external KMIP server.

Release 2023.1.1 adds the ability to use Amazon KMS keys.

ScyllaDB can now use Customer Managed Key (CMK), stored in KMS, to create, encrypt, and decrypt Data Keys (DEK), which are then used to encrypt and decrypt the data in storage, such as SSTables, Commit logs, Batches, and hints logs. See AWS KMS concepts, Data Keys for more information

Before using KMS, you need to set KMS as a key provider and validate that ScyllaDB nodes have permission to access and use the CMK you created in KMS.

Once you do that, you can use the CMK in the CRETE and ALTER TABLE commands with KmsKeyProviderFactory, as follows

CREATE TABLE myks.mytable (...<columns>...) WITH
scylla_encryption_options = {
  'cipher_algorithm' : 'AES/CBC/PKCS5Padding',
  'secret_key_strength' : 128,
  'key_provider': 'KmsKeyProviderFactory',
  'kms_host': 'my_key'

Where “my_key” point to a section in scylla.yaml

    aws_use_ec2_credentials: true
    aws_use_ec2_region: true
    master_key: alias/MyScyllaKey

You can also use the KMS provider to encrypt System level data.

See more examples and info here.

FIPS Tolerant

ScyllaDB Enterprise can now run on FIPS enabled Ubuntu, using libraries that were compiled with FIPS enabled, like OpenSSL, GnuTLS, and more.

Bug fixes

The following issues are fixed in this release (with an open-source reference, if available):

  • CQL: Cannot Cast Counter To Double #14501
  • CQL: Missing counterasblob() function, converting from Counter to Blob #14742
  • Stability: KMIP connector runs an endless loop with more than one failover host, ending with JMX won’t start after enabling KMIP. KMIP server is one of the alternatives for storing keys for Encryption at Rest in ScyllaDB Enterprise.
  • Stability: LWT update with empty clustering key range causes a crash #13129
  • Stability: Mitigate semaphore mismatch when possible. This does not affect Open Source users. #14770
  • Stability: Temporary SSTables generated by incremental compaction (used by LCS and ICS) are being incorrectly compacted #14560
  • Stability: view_updating_consumer does not account for partition header size. In extreme case, this bug can cause OOM and exit when MV is created from a base table with many small partitions #14819
  • Stability: Aborting after decommission of a DB member located in a separate rack #14184
  • Nodetool: Incorrect output in cfhistograms/tablehistograms #10089