Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmek edits #414

Merged
merged 10 commits into from
Aug 12, 2024
Merged

cmek edits #414

merged 10 commits into from
Aug 12, 2024

Conversation

fiquick
Copy link
Contributor

@fiquick fiquick commented Aug 12, 2024

add info about regions, deleting a key in aura, keeping a key in a cloud provider's kms to maintain security, removed "unrecoverable" and replaced with softer language,

danielruminski
danielruminski approved these changes Aug 12, 2024
View reviewed changes
Copy link

@danielruminski danielruminski left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but I have left a few small suggestions

modules/ROOT/pages/platform/security/encryption.adoc Outdated
It is best practice to use the same CMK key as the instance it’s being cloned from.
You can override this to use another CMK key - but you can not use the Neo4j Managed Key.

=== Detach a CMK from Aura
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I find "remove" clearer than "detach" but thats just my opinion and I dont feel strongly. So feel free to leave as is.

modules/ROOT/pages/platform/security/encryption.adoc Outdated
When using Customer Managed Keys, you give Aura permission to encrypt and decrypt using the key, but Aura has no access to the key’s material.
Aura has no control over the availability of your externally managed key in the KMS.
If you lose keys that are managed outside of Aura, Aura can’t recover your data.
If you lose keys that are managed outside of Aura in the cloud provider's KMS, you will not be able to access the data.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would remove the "that are managed outside of Aura" here. Its a bit confusing, since all keys are managed in the Cloud Provider KMS. So it would be
If you lose keys in the cloud provider's KMS, you ...

modules/ROOT/pages/platform/security/encryption.adoc Outdated
A Customer Managed Key (CMK) gives you more control over key operations than the standard Neo4j encryption.
These are created and managed using a supported cloud key management service (KMS).
Externally, Customer Managed Keys are also known as Customer Managed Encryption Keys (CMEK).

When using a Customer Managed Key, all data at rest is encrypted with the key.
Customer Managed Keys are supported for v4.x and v5.x instances.

Customer Managed Keys are designed to stay within the cloud provider’s KMS to maintain their security.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tbh I am not sure what this sentence is supposed to explain. "are designed" sounds like we in Aura designed it this way? I think I would remove this unless there is some specific information you want to convey,

@neo-technology-commit-status-publisher
Copy link
Collaborator

Thanks for the documentation updates.

The preview documentation has now been torn down - reopening this PR will republish it.

@fiquick fiquick merged commit 373cba6 into main Aug 12, 2024
4 checks passed
@fiquick fiquick deleted the cmektextedit branch August 12, 2024 13:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danielruminski danielruminski danielruminski approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@fiquick @neo-technology-commit-status-publisher @danielruminski