Encryption

All data stored in Neo4j Aura is encrypted using intra-cluster encryption between the various nodes comprising your instance and encrypted at rest using the underlying cloud provider’s encryption mechanism.

Aura always requires encrypted connections and ensures that clients validate server certificates when establishing a connection. This means that network traffic flowing to and from Neo4j Aura is always encrypted.

By default, each cloud provider encrypts all backup buckets (including the objects stored inside) using either Google-managed encryption, AWS SSE-S3 encryption, or Azure Storage encryption.

To protect data at rest, Aura uses encrypted data storage capabilities offered by the cloud providers. Whether customers choose to host in AWS, Azure, or GCP, each object store provides server-side encrypted buckets for data at rest encryption. By default, AWS, Azure, and GCP encrypt all backup buckets (including the objects stored inside) with AWS SSE-S3 encryption, Azure Storage Encryption (SSE), or Google-managed encryption. This ensures all your data stored in any one of these cloud providers uses 256-bit Advanced Encryption Standard (AES).

In addition to Aura’s default encryption for data at rest, Customer Managed Keys enable security-conscious enterprises to manage encryption keys through their Cloud Service Provider’s Key Management Services (KMS) on Aura, granting control over data protection and access management, including the ability to revoke access from Neo4j. This allows adherence to strict security policies alongside Aura’s default enterprise-grade security measures.

Customer Managed Keys

AuraDB Virtual Dedicated Cloud AuraDS Enterprise

A Customer Managed Key (CMK) gives you more control over key operations than the standard Neo4j encryption. These are created and managed using a supported cloud key management service (KMS). Externally, Customer Managed Keys are also known as Customer Managed Encryption Keys (CMEK).

When using a Customer Managed Key, all data at rest is encrypted with the key. Customer Managed Keys are supported for v4.x and v5.x instances.

When using Customer Managed Keys, you give Aura permission to encrypt and decrypt using the key, but Aura has no access to the key’s material. Aura has no control over the availability of your externally managed key in the KMS.

The loss of a Customer Managed Key makes all data encrypted with that key inaccessible. Neo4j is unable to manage database instances if the key is disabled, deleted, expired, or if permissions are revoked.

Key rotation

In your KMS platform, you can either configure automatic rotation for the Customer Managed Key, or you can perform a manual rotation.

Although automatic rotation is not enforced by Aura, it is best practice to rotate keys regularly. Manual key rotation is not recommended.

Import an existing database

You can upload a database to instances encrypted with Customer Managed Keys in Neo4j 5 directly from the console or by using neo4j-admin database upload. If the database is larger than 4 GB, you have to use neo4j-admin database upload. Note that the neo4j-admin push-to-cloud command in Neo4j v4.4 and earlier is not supported for instances encrypted with Customer Managed Keys. For more information see the Neo4j Admin database upload documentation.

Clone an instance protected by CMK

To clone an instance protected by a Customer Managed Key, the key must be valid and available to Aura. If the same CMK does not exist in the destination region and product, the cloned instance must be encrypted with an available CMK for that region and product.

It is best practice to use the same Customer Managed Key as the instance it’s being cloned from. You can override this to use another Customer Managed Key - but you can not use the Neo4j Managed Key.

When cloning an instance that is encrypted with a Customer Managed Key, specific restrictions apply when using the API. Below are the details and possible errors that you may encounter depending on the cloning method and key configurations.

Table 1. Summary of cloning restrictions
Cloning method Destination key Result

Console & API

Same CMK as source instance

Cloning allowed.

Console

Different CMK than source instance

Cloning allowed. Warning message shown.

Console

Neo4j Managed Key

Cloning blocked. Error message shown.

API

Different CMK than source instance, or Neo4j Managed Key

Cloning blocked. Error message shown.

Remove a CMK from Aura

When using a Customer Managed Key within Aura to encrypt one or more Aura database instances, it cannot be removed from Aura. If you no longer need to use this Customer Managed Key to encrypt Aura databases, first delete the Aura database instances that are encrypted with the key, then you can remove the key from Aura. Keep in mind that this process only breaks the link between the key and Aura —- it does not delete the actual key from the Cloud KMS.

AWS keys

Create an AWS key

  1. Create a key in the AWS KMS making sure the region matches your Aura database instance. Copy the generated ARN. You need it in the next step.

  2. Go to security settings in the Aura Console, add a Customer Managed Key and copy the JSON code that is generated in the Aura Console when you add a key.

  3. In the AWS KMS, edit the key policy to include the JSON code.

Edit the AWS key policy

After you have initially created a key in the AWS KMS, you can edit the key policy. In the AWS key policy, "Statement" is an array that consists of one or more objects. Each object in the array describes a security identifier (SID). The objects in the AWS code array are comma-separated, for example {[{'a'}, {'b'}, {'c'}]}.

Add a comma after the curly brace in the final SID, and then paste the JSON code that was generated in the Aura Console (for example {[{'a'}, {'b'}, {'c'}, add code here ]}).

AWS regions

Aura supports AWS Customer Managed Keys that reside in the same region as the instance. When creating a Customer Managed Key in the AWS KMS, you can create a single-region key, or create a multi-region key.

Single-region keys reside in only one AWS region, which must be the same region as your Aura instance.

Multi-region keys have a primary region, however these can be replicated to other regions that match the region of your Aura instance. The replicas share the same key ID and different Amazon Resource Names (ARNs) with the primary key.

AWS automatic key rotation

Aura supports automatic key rotation via the AWS KMS. To enable automatic key rotation in the AWS KMS, tick the Key rotation checkbox after initially creating a key, to automatically rotate the key once a year.

Azure keys

Create an Azure key vault

Create a Key Vault in the Azure portal ensuring the region matches your Aura database instance region. Move through the tabs to enable to following:

  • Purge protection

  • Azure role-based access control

  • Azure Disk Encryption for volume encryption

  • When setting up the key vault, in Networking you can choose:

    • Allow public access from all networks

    • Allow public access from specific virtual networks and IP addresses (need to check Allow trusted Microsoft services to bypass this firewall)

    • Disable public access (need to check Allow trusted Microsoft services to bypass this firewall)

    • If you need to edit the public access setting after setting up the key vault, you will find public access options in Networking > Firewalls and Virtual Networks and below it is the Exception section the checkbox to Allow trusted Microsoft services to bypass this firewall.

Create a key

  1. When preparing to create a key, if needed grant a role assignment:

    1. Inside the key vault, go to Access Control (IAM) and add role assignment.

    2. In the Role tab, select Key Vault Administrator.

    3. In the Member tab, select User, group, or service principal.

    4. From Select members, add yourself or the relevant person, then Review + Assign.

  2. Create a key in the Azure Key Vault.

  3. After the key is created, click into key version and copy the Key Identifier, you need it in the next step.

  4. Go to security settings in the Aura Console and add a Customer Managed Key.

  5. Follow the instructions in the Aura Console for the next sections.

Create a service principal

In the Azure Entra ID tenant where your key is located, create a service principal linked to the Neo4j CMK Application with the Neo4j CMK Application ID displayed in the Aura Console.

One way to do this is by clicking the terminal icon at the top of the Azure portal, to open the Azure Cloud Shell.

Using Azure CLI, the command is:

az ad sp create --id Neo4jCMKApplicationID

For more information about the Azure CLI, see az ad sp documentation.

Grant key permissions

  1. To add role assignment to the Azure key, inside the key, go to Access control (IAM) and add role assignment.

  2. In the Role tab, select Key Vault Crypto Officer.

  3. In the Member tab, select User, group, or service principal.

  4. In Select members, paste the Neo4j CMK Application name that is displayed in the Aura Console.

  5. The Neo4j CMK Application should appear, select this application then Review + Assign.

GCP keys

Create a key ring

  1. Go to Key Management in the Google Cloud console.

  2. Create a key ring.

  3. The key ring Location type should be set to Region.

  4. Make sure the region matches your Aura database instance region.

  5. Select Create and you are automatically taken to the key creation page.

Create a key

  1. Create a key in the Google Console. You can use default settings for the options, but setting a key rotation period is recommended.

  2. Select Create and you are brought to the key ring, with your key listed.

  3. Click More (three dots) and Copy resource name, you need it in the next step. For more information, see Google Cloud docs

  4. Go to security settings in the Aura Console and add a Customer Managed Key. Paste the resource name into the Encryption Key Resource Name field.

  5. After you select Add Key in the Aura Console, three service accounts are displayed in the Aura Console. You will need these in the next steps.

Grant key permissions

  1. Go to the Google Cloud console, click into the key and go to Permissions then Grant Access.

  2. In Add principals paste the three service accounts from the Aura Console.

  3. In Assign roles assign both Cloud KMS CryptoKey Encrypter/Decrypter and Cloud KMS Viewer roles to all three service accounts.