Encryption

All data stored in Neo4j Aura is encrypted using intra-cluster encryption between the various nodes comprising your instance and encrypted at rest using the underlying cloud provider’s encryption mechanism.

By default, each cloud provider encrypts all backup buckets (including the objects stored inside) using either Google-managed encryption, AWS SSE-S3 encryption, or Azure Storage encryption.

Customer Managed Keys

AuraDB Enterprise AuraDS Enterprise

This feature has been released as a public GA for AuraDB Enterprise and AuraDS Enterprise for AWS managed keys. GCP’s Cloud Key Management and Azure’s Key Vault are in development.

A Customer Managed Key (CMK) gives you more control over key operations than the standard Neo4j encryption. These are created and managed using a supported cloud key management service (KMS). Externally, Customer Managed Keys are also known as Customer Managed Encryption Keys (CMEK).

When using a Customer Managed Key, all data at rest is encrypted with the key. You can only encrypt new Aura v5 instances using Customer Managed Keys. The feature is not supported for existing instances or v4.x instances.

When using Customer Managed Keys, you give Aura permission to encrypt and decrypt using the key, but Aura has no access to the key’s material. Aura has no control over the availability of your externally managed key in the KMS. If you lose keys that are managed outside of Aura, Aura can’t recover your data.

The loss of a Customer Managed Key, through deletion, disabling, or expiration, renders all data encrypted with that key unrecoverable. Neo4j cannot administer database instances when keys are disabled, deleted, or permissions revoked.

Deleting a key

If a Customer Managed Key is being used to encrypt one or more Aura instances in the console, it can’t be deleted. If you need to delete the key, first delete the Aura database instances encrypted with the key, then delete the key.

Key rotation

In your KMS platform, you can either configure automatic rotation for the Customer Managed Key, or you can perform a manual rotation.

Although automatic rotation is not enforced by Aura, it is best practice to rotate keys regularly. Manual key rotation is not recommended.

Regionality

There is a limit of one key for AuraDB and one key for AuraDS per region. Depending on the KMS, there may be a delay between disabling a key, and when it can no longer be used to encrypt and decrypt data.

Importing an existing database

You can upload a database to instances encrypted with Customer Managed Keys in Neo4j 5 directly from the console or by using neo4j-admin database upload. If the database is larger than 4 GB, you have to use neo4j-admin database upload. Note that the neo4j-admin push-to-cloud command in Neo4j v4.4 and earlier is not supported for instances encrypted with Customer Managed Keys. For more information see the Neo4j Admin database upload documentation.

Cloning an instance protected by CMK

To clone an instance protected by a Customer Managed Key, the key must be valid and available to Aura. The cloned instance, by default, uses the available Customer Managed Key for that region and product.

You can override this behavior by selecting the Neo4j Managed Key when cloning the database. If there is no valid CMK for the destination region and product, the Neo4j Managed Key is used to encrypt the cloned instance.

AWS keys

Creating an AWS key

  1. Create a key in the AWS KMS ensuring the region matches your Aura database instance. Copy the generated ARN. You need it in the next step.

  2. Go to security settings in the Aura Console, create a Customer Managed Key and copy the JSON code that is generated in the Aura Console when you add a key.

  3. In the AWS KMS, edit the key policy to include the JSON code.

Editing the AWS key policy

After you have initially created a key in the AWS KMS, you can edit the key policy. In the AWS key policy, "Statement" is an array that consists of one or more objects. Each object in the array describes a security identifier (SID). The objects in the AWS code array are comma-separated, e.g. {[{'a'}, {'b'}, {'c'}]}

Add a comma after the curly brace in the final SID, and then paste the JSON code that was generated in the Aura Console, e.g. {[{'a'}, {'b'}, {'c'}, add code here ]}

AWS regionality

When creating a Customer Managed Key in the AWS KMS, you can create a single-region key in a single AWS region, or create a multi-region key that you can replicate into multiple AWS regions. Aura only supports AWS Customer Managed Keys that reside in the same region as the instance.

In Aura, you can use AWS single-region keys, multi-region keys or replica keys as long as the key resides in the same region as the Aura instace.

AWS automatic key rotation

Aura supports automatic key rotation via the AWS KMS. To enable automatic key rotation in the AWS KMS, tick the Key rotation checkbox after initially creating a key, to automatically rotate the key once a year.