Data encryption for Changefeeds

[chriscasano]

This is a request to have encryption for data that is generated by Changefeed before sending to its sink. An example of this, would be using AWS client side encryption: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html. The problem resides for sensitive data sets that need an extra layer of secure transfer and at-rest. It would be nice to have a standard encryption process that can work across most of the Changefeed sinks where the use can provide the master key for encryption, similar to how we do encrypted backups.

gz#4785

Epic CRDB-9177

Jira issue: CRDB-5163

[BramGruneir]

Assigning to @mwang1026 for triage.

[mwang1026]

We've triaged but want to wait until committing until we get confirmation on what encryption protocols to support (since presumably the data would be encrypted outside of CRDB).

[BramGruneir]

@thtruo for visibility

[chriscasano]

@mwang1026 probably worth considering this for backups too and not just changefeeds.

[mwang1026]

Yup. What are some examples of encryption protocols people are asking for? There are likely two parts to this--generic encryption UX and framework, and the incremental work to implement each encryption protocol.

[BramGruneir]

@mwang1026, any movement on this? This looks like it could use similar work being done with AWS' KMS for encrypted backups.

[mwang1026]

No movement. Are people not using changefeeds because of this?

[BramGruneir]

It came as a customer request: https://cockroachdb.zendesk.com/agent/tickets/4785

[github-actions[bot]]

We have marked this issue as stale because it has been inactive for 18 months. If this issue is still relevant, removing the stale label or adding a comment will keep it active. Otherwise, we'll close it in 10 days to keep the issue queue tidy. Thank you for your contribution to CockroachDB!

[data-matt]

Open CC @amruss