Encryption

All data stored in Neo4j Aura is encrypted using intra-cluster encryption between the various nodes comprising your instance and encrypted at rest using the underlying cloud provider’s encryption mechanism.

By default, each cloud provider encrypts all backup buckets (including the objects stored inside) using either Google-managed encryption, AWS SSE-S3 encryption, or Azure Storage encryption.

Customer Managed Keys

AuraDB Enterprise AuraDS Enterprise

This feature has been released as a public GA for AuraDB Enterprise and AuraDS Enterprise for AWS managed keys. GCP’s Cloud Key Management and Azure’s Key Vault are in development.

A Customer Managed Key (CMK) gives you more control over key operations than the standard Neo4j encryption. These are created and managed using a supported cloud key management service (KMS). Externally, Customer Managed Keys are also known as Customer Managed Encryption Keys (CMEK).

When using a Customer Managed Key, all data at rest is encrypted with the key. Customer Managed Keys are supported for v4.x and v5.x instances.

When using Customer Managed Keys, you give Aura permission to encrypt and decrypt using the key, but Aura has no access to the key’s material. Aura has no control over the availability of your externally managed key in the KMS. If you lose keys that are managed outside of Aura, Aura can’t recover your data.

The loss of a Customer Managed Key, through deletion, disabling, or expiration, renders all data encrypted with that key unrecoverable. Neo4j cannot administer database instances when keys are disabled, deleted, or permissions revoked.

Delete a key

If a Customer Managed Key is being used to encrypt one or more Aura instances in the console, it can’t be deleted. If you need to delete the key, first delete the Aura database instances encrypted with the key, then delete the key.

Key rotation

In your KMS platform, you can either configure automatic rotation for the Customer Managed Key, or you can perform a manual rotation.

Although automatic rotation is not enforced by Aura, it is best practice to rotate keys regularly. Manual key rotation is not recommended.

Regions

There is a limit of one key for AuraDB and one key for AuraDS per region. Depending on the KMS, there may be a delay between disabling a key, and when it can no longer be used to encrypt and decrypt data.

Import an existing database

You can upload a database to instances encrypted with Customer Managed Keys in Neo4j 5 directly from the console or by using neo4j-admin database upload. If the database is larger than 4 GB, you have to use neo4j-admin database upload. Note that the neo4j-admin push-to-cloud command in Neo4j v4.4 and earlier is not supported for instances encrypted with Customer Managed Keys. For more information see the Neo4j Admin database upload documentation.

Clone an instance protected by CMK

To clone an instance protected by a Customer Managed Key, the key must be valid and available to Aura. The cloned instance, by default, uses the available Customer Managed Key for that region and product.

You can override this behavior by selecting the Neo4j Managed Key when cloning the database. If there is no valid CMK for the destination region and product, the Neo4j Managed Key is used to encrypt the cloned instance.

AWS keys

Create an AWS key

  1. Create a key in the AWS KMS ensuring the region matches your Aura database instance. Copy the generated ARN. You need it in the next step.

  2. Go to security settings in the Aura Console, create a Customer Managed Key and copy the JSON code that is generated in the Aura Console when you add a key.

  3. In the AWS KMS, edit the key policy to include the JSON code.

Edit the AWS key policy

After you have initially created a key in the AWS KMS, you can edit the key policy. In the AWS key policy, "Statement" is an array that consists of one or more objects. Each object in the array describes a security identifier (SID). The objects in the AWS code array are comma-separated, e.g. {[{'a'}, {'b'}, {'c'}]}

Add a comma after the curly brace in the final SID, and then paste the JSON code that was generated in the Aura Console, e.g. {[{'a'}, {'b'}, {'c'}, add code here ]}

AWS regions

When creating a Customer Managed Key in the AWS KMS, you can create a single-region key in a single AWS region, or create a multi-region key that you can replicate into multiple AWS regions. Aura only supports AWS Customer Managed Keys that reside in the same region as the instance.

In Aura, you can use AWS single-region keys, multi-region keys or replica keys as long as the key resides in the same region as the Aura instace.

AWS automatic key rotation

Aura supports automatic key rotation via the AWS KMS. To enable automatic key rotation in the AWS KMS, tick the Key rotation checkbox after initially creating a key, to automatically rotate the key once a year.

Azure keys

Create an Azure key vault

Create a Key Vault in the Azure portal ensuring the region matches your Aura database instance region. Move through the tabs to enable to following:

  • Purge protection

  • Azure role-based access control

  • Azure Disk Encryption for volume encryption

  • Allow access from all networks

Create a key

  1. When preparing to create a key, if needed grant a role assigment:

    1. Inside the key vault, go to Access Control (IAM) and add role assignment.

    2. In the Role tab, select Key Vault Administrator.

    3. In the Member tab, select User, group, or service principal.

    4. Select members and select yourself or the relevant person, then Review + Assign.

  2. Create a key in the Azure Key Vault.

  3. After the key is created, click into key version and copy the Key Identifier, you need it in the next step.

  4. Go to security settings in the Aura Console and add a Customer Managed Key.

  5. Follow the instructions in the Aura Console for the next sections.

Create a service principal

In the Azure Entra ID tenant where your key is located, create a service principal linked to the Neo4j CMK Application with the Neo4j CMK Application ID displayed in the Aura Console.

One way to do this is by clicking the terminal icon at the top of the Azure portal, to open the Azure Cloud Shell.

Using Azure CLI, the command is:

az ad sp create --id Neo4jCMKApplicationID

For more information about the Azure CLI, see az ad sp documentation.

Grant key permissions

  1. To add role assignment to the Azure key, inside the key, go to Access control (IAM) and add role assignment.

  2. In the Role tab, select Key Vault Crypto Officer.

  3. In the Member tab, select User, group, or service principal.

  4. Select members and paste the Neo4j CMK Application name that is displayed in the Aura Console.

  5. The Neo4j CMK Application should appear, select this application then Review + Assign.