Skip to content

Commit c574fac

Browse files
ldecarvalho-docldecarvalho-doc
authored
feat(rdb): encryption at rest api + bench MTA-5369 (#4132)
1 parent 7bcfc41 commit c574fac

File tree

3 files changed

+180
-0
lines changed

3 files changed

+180
-0
lines changed

managed-databases/postgresql-and-mysql/api-cli/setting-up-encryption-at-rest.mdx

Lines changed: 133 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,133 @@
1+
---
2+
meta:
3+
title: Setting up Encryption at Rest for your Managed Databases with the Scaleway API
4+
description: This page explains how to set up Encryption at Rest for your Managed Databases with the Scaleway API.
5+
content:
6+
h1: Setting up Encryption at Rest for your Managed Databases with the Scaleway API
7+
paragraph: This page explains how to set up Encryption at Rest for your Managed Databases with the Scaleway API.
8+
tags: managed-database postgresql mysql encryption at rest
9+
dates:
10+
validation: 2024-12-19
11+
posted: 2024-12-19
12+
categories:
13+
- managed-databases
14+
- postgresql-and-mysql
15+
---
16+
17+
Encryption at rest allows you to permanently encrypt your database data. The data is encrypted at volume level using [LUKS](https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup). The management of the encryption key is done by Scaleway.
18+
19+
The feature can be activated upon Database Instance creation via the console and the API, or after creation exclusively through the API with the [upgrade endpoint](https://www.scaleway.com/en/developers/api/managed-database-postgre-mysql/#path-database-instances-upgrade-a-database-instance).
20+
21+
<Message type="important">
22+
- Once activated on a Database Instance, encryption at rest cannot be disabled.
23+
- All databases, data (including logs), and snapshots will be encrypted. Logical backup encryption is not currently available.
24+
- Enabling encryption means your database data will be copied into a new, encrypted block volume. This takes approximately 1 hour per 100 GB of storage. When switching volumes, expect a few seconds of downtime towards the end of the copying process. Refer to the [Encryption at rest performance benchmark on Database Instances](/managed-databases/postgresql-and-mysql/reference-content/encryption-at-rest-performance-benchmark) page.
25+
</Message>
26+
27+
## Creating a Database Instance with encryption at rest
28+
29+
1. Edit the POST request payload you will use to create your Database Instance. Make sure you include the `encryption` parameter and set the `enabled` attribute to `true`.
30+
<Message type="note">
31+
In all examples below the UUIDs, passwords and IP addresses displayed are not real. For more details about the parameters shown, refer to the [Managed Databases for PostgreSQL and MySQL API documentation](https://www.scaleway.com/en/developers/api/managed-database-postgre-mysql/)
32+
</Message>
33+
34+
```json
35+
'{
36+
"project_id": "d8e65f2b-cce9-40b7-80fc-6a2902db6826",
37+
"name": "myDB",
38+
"engine": "PostgreSQL-15",
39+
"tags": ["foo", "bar"],
40+
"is_ha_cluster": true,
41+
"node_type": "db-pro2-xxs",
42+
"disable_backup": false,
43+
"user_name": "my_initial_user",
44+
"password": "thiZ_is_v0ry_s3cret",
45+
"volume_type": "sbs_5k",
46+
"volume_size": "30000000000",
47+
"encryption": {
48+
"enabled": true
49+
}
50+
}'
51+
```
52+
53+
2. Create a Database Instance by running the following command. Make sure you include the payload you edited in the previous step.
54+
```bash
55+
curl -X POST \
56+
-H "X-Auth-Token: $SCW_SECRET_KEY" \
57+
"Content-Type: application/json" \
58+
https://api.scaleway.com/rdb/v1/regions/$SCW_REGION/instances \
59+
-d '{
60+
"project_id": "d8e65f2b-cce9-40b7-80fc-6a2902db6826",
61+
"name": "myDB",
62+
"engine": "PostgreSQL-15",
63+
"tags": ["foo", "bar"],
64+
"is_ha_cluster": true,
65+
"node_type": "db-pro2-xxs",
66+
"disable_backup": false,
67+
"user_name": "my_initial_user",
68+
"password": "thiZ_is_v0ry_s3cret",
69+
"volume_type": "sbs_5k",
70+
"volume_size": "30000000000",
71+
"encryption": {
72+
"enabled": true
73+
}
74+
}'
75+
```
76+
You should get a response like the following confirming that the Database Instance was created, and encryption at rest is enabled.
77+
78+
```json
79+
{
80+
"id": "f5122f66-fb50-4cef-aa02-487ef4fc1af0",
81+
"name": "myDB",
82+
"organization_id": "895693aa-3915-4896-8761-c2923b008be7",
83+
"project_id": "d8e65f2b-cce9-40b7-80fc-6a2902db6826",
84+
"status": "ready",
85+
"engine": "PostgreSQL-15",
86+
"endpoint": {
87+
"ip": "198.51.100.0",
88+
"port": 22245,
89+
"name": null
90+
},
91+
"tags": [
92+
"foo",
93+
"bar"
94+
],
95+
"settings": [],
96+
"backup_schedule": {
97+
"frequency": 24,
98+
"retention": 7,
99+
"disabled": true
100+
},
101+
"is_ha_cluster": true,
102+
"read_replicas": [],
103+
"node_type": "db-pro2-xxs",
104+
"volume": {
105+
"type": "sbs_5k",
106+
"size": 30000000000
107+
},
108+
"encryption": {
109+
"enabled": true
110+
},
111+
"created_at": "2019-04-19T16:24:52.591417Z",
112+
"region": "fr-par"
113+
}
114+
```
115+
116+
## Enabling encryption at rest in an existing Database Instance
117+
118+
To enable encryption at rest after a Database Instance has already been created, you can use the upgrade endpoint of the Managed Databases API.
119+
120+
Run the following command. Make sure you replace the `instance_id` in the endpoint, and the `enable_encryption` parameter set to `true`
121+
122+
```json
123+
curl -X POST \
124+
-H "X-Auth-Token: $SCW_SECRET_KEY" \
125+
-H "Content-Type: application/json" \
126+
-d '{
127+
"enable_encryption": true
128+
}' \
129+
"https://api.scaleway.com/rdb/v1/regions/fr-par/instances/{instance_id}/upgrade"
130+
```
131+
132+
If the operation is successful, you see an output containing all the details of your Database Instance, including `"encryption":{"enabled":true}`.
133+

managed-databases/postgresql-and-mysql/reference-content/encryption-at-rest-performance-benchmark.mdx

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
---
2+
meta:
3+
title: Encryption at rest performance benchmark on Database Instances
4+
description: This page shows benchmarks of different Database Instances' performance when encryption at rest is enabled.
5+
content:
6+
h1: Encryption at rest performance benchmark on Database Instances
7+
paragraph: This page shows benchmarks of different Database Instances' performance when encryption at rest is enabled.
8+
tags: managed-database postgresql mysql encryption at rest
9+
dates:
10+
validation: 2024-12-19
11+
posted: 2024-12-19
12+
categories:
13+
- managed-databases
14+
- postgresql-and-mysql
15+
---
16+
17+
In December 2024, the Scaleway Managed Databases team ran tests on DB-POP2-4C-16G Instances in a Private Network using `pgbench`. Several workloads (including read, oltp and large loads) were simulated with several scale factors (from 1M rows to 200M rows) and concurrent database connections set to 10. They measured the impact of encryption at rest on transactions, per second and latency.
18+
19+
<Message type="important">
20+
For more information on pgbench transactions, refer to the "What is the 'Transaction' actually performed in pgbench?" section of the official [pgbench documentation](https://www.postgresql.org/docs/current/pgbench.html).
21+
</Message>
22+
23+
<Message type="note">
24+
The workloads applied simulate heavy usage scenarios for the purposes of testing. During the beta of encryption at rest, no performance issues were raised by users. If you would like to share your own benchmarks with our team, feel free to reach out to us in the #database channel of the [Scaleway Slack community](/tutorials/scaleway-slack-community/).
25+
</Message>
26+
27+
The table below compares the different workload and setup combinations and indicates the performance results of each:
28+
29+
| Workload Type | Setup | Scale Factor | Performance Impact |
30+
|----------------------|-----------------|--------------|------------------------------------------------------------------------------------|
31+
| **Read Workloads** | Standalone | 10 | No impact |
32+
| | Standalone | 2000 | No real impact with or without encryption at rest |
33+
| | HA | 2000 | 20-30% impact, likely due to disk writes being replicated. Refer to [this blogpost](https://blog.okmeter.io/postgresql-exploring-how-select-queries-can-produce-disk-writes-f36c8bee6b6f) to learn more about disk writes in read operations. |
34+
| **OLTP Workloads** | Standalone | Any | 15% performance drop with encryption at rest activated |
35+
| | HA | 10 | 15% performance drop |
36+
| | HA | 2000 | Up to 30% performance drop |
37+
| **Large Data Load (29 GB)** | Standalone | Any | 10% additional latency |
38+
| | HA | Any | 40% additional latency due to semi-sync replication and encryption overhead |
39+

menu/navigation.json

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2198,6 +2198,10 @@
21982198
"label": "PostgreSQL extensions reference",
21992199
"slug": "postgresql-extensions"
22002200
},
2201+
{
2202+
"label": "Encryption at rest performance benchmark",
2203+
"slug": "encryption-at-rest-performance-benchmark"
2204+
},
22012205
{
22022206
"label": "Understanding the autohealing feature",
22032207
"slug": "autohealing"
@@ -2212,6 +2216,10 @@
22122216
"label": "Managed Database for PostgreSQL and MySQL API Reference",
22132217
"slug": "https://www.scaleway.com/en/developers/api/managed-database-postgre-mysql/"
22142218
},
2219+
{
2220+
"label": "Setting up encryption at rest",
2221+
"slug": "setting-up-encryption-at-rest"
2222+
},
22152223
{
22162224
"label": "Setting up and using the pgaudit extension",
22172225
"slug": "pg-audit"

0 commit comments

Comments
 (0)