The ScyllaDB team announces ScyllaDB Enterprise 2023.1.1, a bug-fix production-ready ScyllaDB Enterprise patch release for ScyllaDB Enterprise 2023.1 LTS Release..
This patch release enables support of KMS integration for Encryption at Rest, allows ScyllaDB to work with a FIPS-enabled Ubuntu, and fixes multiple minor bugs.
You are encouraged to upgrade to it in coordination with the ScyllaDB Support team.
Related Links
- Get ScyllaDB Enterprise 2023.1 (customers only, or 30-day evaluation)
- Upgrade from ScyllaDB Enterprise 2022.1.x to 2023.1.y
- Upgrade from ScyllaDB Enterprise 2022.2.x to 2023.1.y
- Upgrade from ScyllaDB Open Source 5.2 to ScyllaDB Enterprise 2023.1.x
- Upgrade from ScyllaDB Enterprise 2023.1.x to 2023.1.y
- Submit a ticket
Amazon KMS Integration for Encryption at Rest
Scylla Enterprise has supported Encryption at Rest (EaR) for a long time. So far, one can store the keys for EaR locally, in an encrypted table, or an external KMIP server.
Release 2023.1.1 adds the ability to use Amazon KMS keys.
ScyllaDB can now use Customer Managed Key (CMK), stored in KMS, to create, encrypt, and decrypt Data Keys (DEK), which are then used to encrypt and decrypt the data in storage, such as SSTables, Commit logs, Batches, and hints logs. See AWS KMS concepts, Data Keys for more information
Before using KMS, you need to set KMS as a key provider and validate that ScyllaDB nodes have permission to access and use the CMK you created in KMS.
Once you do that, you can use the CMK in the CRETE and ALTER TABLE commands with KmsKeyProviderFactory, as follows
CREATE TABLE myks.mytable (...<columns>...) WITH
scylla_encryption_options = {
'cipher_algorithm' : 'AES/CBC/PKCS5Padding',
'secret_key_strength' : 128,
'key_provider': 'KmsKeyProviderFactory',
'kms_host': 'my_key'
}
Where “my_key” point to a section in scylla.yaml
kms_hosts:
my_key:
aws_use_ec2_credentials: true
aws_use_ec2_region: true
master_key: alias/MyScyllaKey
You can also use the KMS provider to encrypt System level data.
See more examples and info here.
FIPS Tolerant
ScyllaDB Enterprise can now run on FIPS enabled Ubuntu, using libraries that were compiled with FIPS enabled, like OpenSSL, GnuTLS, and more.
Bug fixes
The following issues are fixed in this release (with an open-source reference, if available):
- CQL: Cannot Cast Counter To Double #14501
- CQL: Missing counterasblob() function, converting from Counter to Blob #14742
- Stability: KMIP connector runs an endless loop with more than one failover host, ending with JMX won’t start after enabling KMIP. KMIP server is one of the alternatives for storing keys for Encryption at Rest in ScyllaDB Enterprise.
- Stability: LWT update with empty clustering key range causes a crash #13129
- Stability: Mitigate semaphore mismatch when possible. This does not affect Open Source users. #14770
- Stability: Temporary SSTables generated by incremental compaction (used by LCS and ICS) are being incorrectly compacted #14560
- Stability: view_updating_consumer does not account for partition header size. In extreme case, this bug can cause OOM and exit when MV is created from a base table with many small partitions #14819
- Stability: Aborting after decommission of a DB member located in a separate rack #14184
- Nodetool: Incorrect output in cfhistograms/tablehistograms #10089