Background information
By default, data encryption is disabled for a data table when the data table is created. To enable data encryption for a data table, you must configure encryption-related parameters when you create the data table. Tablestore supports two encryption methods: encryption based on a Key Management Service (KMS) key and encryption based on Bring Your Own Key (BYOK). You must obtain the keys for both methods from KMS. You can choose a method based on your business requirements.
KMS is a one-stop key management and data encryption platform, and a one-stop secrets management platform. KMS provides simple, reliable, secure, and compliant data encryption protection and secrets management capabilities. KMS helps reduce your costs for procurement, O&M, and R&D on cryptographic infrastructure, data encryption services, and secrets management services. This way, you can focus on the development of your business application. For more information, see What is KMS?
Encryption method | How to use | Description |
KMS key-based encryption | Tablestore console Tablestore SDK
| Tablestore uses the default KMS-managed Customer Master Key (CMK) to encrypt data and automatically decrypts data when the data is being read. When you use KMS key-based encryption for the first time, Tablestore creates a KMS-managed CMK in the KMS console. You do not need to purchase a KMS instance. |
BYOK-based encryption | Tablestore console Tablestore SDK
| After you use BYOK materials to generate a custom key in the KMS console, Tablestore can encrypt data based on your custom key. You can manage the encryption keys that you use. |
Scenarios
You can enable the data encryption feature in scenarios that have high security or compliance requirements.
Usage notes
The data encryption feature can be configured only when you create a data table.
After you enable the data encryption feature, the feature cannot be disabled. Proceed with caution.
The data encryption feature is available in the China (Hangzhou), China (Shanghai), China (Shenzhen), China (Beijing), China (Zhangjiakou), China (Ulanqab), China (Hong Kong), Singapore, Indonesia (Jakarta), US (Silicon Valley), US (Virginia), UK (London), Japan (Tokyo), and German (Frankfurt) regions.
Enable the data encryption feature
Enable the data encryption feature in the Tablestore console
If you create a data table in the Tablestore console, you can enable KMS key-based encryption or BYOK-based encryption for the data table.
KMS key-based encryption
Log on to the Tablestore console.
In the top navigation bar, select a region.
On the Overview page, click the name of the instance that you want to manage or click Manage Instance in the Actions column of the instance.
On the Instance Details tab, click Create Table.
In the Create Table dialog box, configure the parameters.
Configure the parameters such as Table Name, Primary Key, and Allow Updates.
Turn on Encryption and select CMK of KMS for the Encryption Type parameter.
Click OK.
After the data table is created, click the table name. On the Basic Information tab of the Manage Table page, verify that the value of the Encryption parameter is Yes-CMK of KMS. This indicates that the data encryption feature is enabled for the data table.
BYOK-based encryption
Create a software-protected key in the KMS console. For more information, see the "Software-protected key" section of the Getting started with keys topic.
Create a Resource Access Management (RAM) role and grant permissions to the RAM role.
Create a RAM role. For more information, see Create a RAM role for a trusted Alibaba Cloud account.
Set the role name to AliyunOTSAccessingKMS.
Create a custom policy that contains the KMS encryption and decryption permissions. For information about how to create a custom policy, see the "Create a custom policy on the JSON tab" section of the Create custom policies topic.
Set the policy name to otskmspolicytest. Sample policy:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"*"
]
}
]
}
Attach the otskmspolicytest policy to the AliyunOTSAccessingKMS role. For more information, see Grant permissions to a RAM role.
After you complete the authorization, record the Alibaba Cloud Resource Name (ARN) of the RAM role. The ARN indicates the ID of the RAM role.
Modify the trust policy of the RAM role. For more information, see Edit the trust policy of a RAM role.
Sample trust policy:
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"ots.aliyuncs.com"
]
}
}
],
"Version": "1"
}
Create a data table and configure encryption-related parameters.
Log on to the Tablestore console.
In the top navigation bar, select a region.
On the Overview page, click the name of the instance that you want to manage or click Manage Instance in the Actions column of the instance.
On the Instance Details tab, click Create Table.
In the Create Table dialog box, configure the parameters.
Configure the parameters such as Table Name, Primary Key, and Allow Updates.
Turn on Encryption and select BYOK-based Key for the Encryption Type parameter.
Click OK.
After the data table is created, click the table name. On the Basic Information tab of the Manage Table page, verify that the value of the Encryption parameter is Yes-BYOK-based Key. This indicates that the data encryption feature is enabled for the data table.
Enable the data encryption feature by using Tablestore SDK
If you create a data table by using Tablestore SDK, you can enable KMS key-based encryption or BYOK-based encryption for the data table. You can use Tablestore SDK for Java to configure encryption for a data table.
KMS key-based encryption
To enable KMS key-based encryption for a data table, you must activate KMS. However, you do not need to create a KMS instance. After you create a data table, you can call the DescribeTable operation to query the encryption configuration of the table.
The following sample code shows how to enable KMS key-based encryption for a data table when you create the data table. The primary key of the data table is pk and of the STRING type. For the values of the attribute columns, only the latest version of data is retained, and the data never expires.
private static void createTable(SyncClient client) {
// Specify the name of the data table.
TableMeta tableMeta = new TableMeta("<TABLE_NAME>");
// If you want to configure data encryption, configure encryption-related parameters in the CreateTable request. The following encryption methods are supported: KMS key-based encryption and BYOK-based encryption. In this example, KMS key-based encryption is enabled.
SSESpecification sseKms = new SSESpecification(true, SSEKeyType.SSE_KMS_SERVICE);
// Add a primary key column to the data table.
tableMeta.addPrimaryKeyColumn(new PrimaryKeySchema("pk", PrimaryKeyType.STRING));
// Specify the validity period of data. A value of -1 specifies that the data never expires. Unit: seconds. You must set the timeToLive parameter to -1 for a data table for which you want to create an index table.
int timeToLive = -1;
// Specify the maximum number of data versions that can be retained for each column. A value of 1 specifies that only the latest version of data is retained for each column. You must set the maxVersions parameter to 1 for a data table for which you want to create an index table.
int maxVersions = 1;
TableOptions tableOptions = new TableOptions(timeToLive, maxVersions);
CreateTableRequest request = new CreateTableRequest(tableMeta, tableOptions);
// Specify the reserved read throughput and reserved write throughout. The values must be set to 0 for data tables in capacity instances and can be set to non-zero values for data tables in high-performance instances.
request.setReservedThroughput(new ReservedThroughput(new CapacityUnit(0, 0)));
request.setSseSpecification(sseKms);
client.createTable(request);
}
BYOK-based encryption
Create a software-protected key in the KMS console. For more information, see the "Software-protected key" section of the Getting started with keys topic.
Create a RAM role and grant permissions to the RAM role.
Create a RAM role. For more information, see Create a RAM role for a trusted Alibaba Cloud account.
Set the role name to AliyunOTSAccessingKMS.
Create a custom policy that contains the KMS encryption and decryption permissions. For information about how to create a custom policy, see the "Create a custom policy on the JSON tab" section of the Create custom policies topic.
Set the policy name to otskmspolicytest. Sample policy:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"*"
]
}
]
}
Attach the otskmspolicytest policy to the AliyunOTSAccessingKMS role. For more information, see Grant permissions to a RAM role.
After you complete the authorization, record the ARN of the RAM role. The ARN indicates the ID of the RAM role.
Modify the trust policy of the RAM role. For more information, see Edit the trust policy of a RAM role.
Sample trust policy:
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"ots.aliyuncs.com"
]
}
}
],
"Version": "1"
}
Create a data table and configure encryption-related parameters.
Create a data table and enable BYOK-based encryption. After you create a data table, you can call the DescribeTable operation to query the encryption configuration of the table.
The following sample code shows how to enable BYOK-based encryption for a data table when you create the data table. The primary key of the data table is pk and of the STRING type. For the values of the attribute columns, only the latest version of data is retained, and the data never expires.
private static void createTable(SyncClient client) {
// Specify the name of the data table.
TableMeta tableMeta = new TableMeta("<TABLE_NAME>");
// If you want to configure data encryption, configure encryption-related parameters in the CreateTable request. The following encryption methods are supported: KMS key-based encryption and BYOK-based encryption.
// Set the keyId parameter to the ID of the software-protected key that you created in the KMS console in Step 1.
String keyId="key-hzz65****************";
// Set the roleArn parameter to the ARN of the RAM role that you recorded in Step 2.
String roleArn="acs:ram::****************:role/aliyunotsaccessingkms";
// In this example, BYOK-based encryption is enabled.
// Set the keyId parameter to the ID of the custom key in KMS. Set the roleArn parameter to the ARN of the RAM role that you want to use. You must create a RAM role and record the ARN of the RAM role.
SSESpecification sseByok = new SSESpecification(true, SSEKeyType.SSE_BYOK, keyId, roleArn);
// Add a primary key column to the data table.
tableMeta.addPrimaryKeyColumn(new PrimaryKeySchema("pk", PrimaryKeyType.STRING));
// Specify the validity period of data. A value of -1 specifies that the data never expires. Unit: seconds. You must set the timeToLive parameter to -1 for a data table for which you want to create an index table.
int timeToLive = -1;
// Specify the maximum number of data versions that can be retained for each column. A value of 1 specifies that only the latest version of data is retained for each column. You must set the maxVersions parameter to 1 for a data table for which you want to create an index table.
int maxVersions = 1;
TableOptions tableOptions = new TableOptions(timeToLive, maxVersions);
CreateTableRequest request = new CreateTableRequest(tableMeta, tableOptions);
request.setReservedThroughput(new ReservedThroughput(new CapacityUnit(0, 0))); // Specify the reserved read throughput and reserved write throughout. The values must be set to 0 for data tables in capacity instances and can be set to non-zero values for data tables in high-performance instances.
request.setSseSpecification(sseByok);
client.createTable(request);
}
Billing
You are charged the data encryption fee by KMS. For more information, see Billing.