From ba38d585393022bb1a6b431177b103123ee1971e Mon Sep 17 00:00:00 2001 From: Calle Wilund Date: Wed, 26 Nov 2025 13:29:12 +0000 Subject: [PATCH 1/3] replicated_key_provider: Add deprecation warning on usage Warns user utilizing the provider that the provider is deprecated and will be removed. --- ent/encryption/replicated_key_provider.cc | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/ent/encryption/replicated_key_provider.cc b/ent/encryption/replicated_key_provider.cc index 1eb5af5110..b0734c4fea 100644 --- a/ent/encryption/replicated_key_provider.cc +++ b/ent/encryption/replicated_key_provider.cc @@ -43,6 +43,7 @@ #include "db/system_keyspace.hh" #include "db/extensions.hh" #include "locator/everywhere_replication_strategy.hh" +#include "release.hh" namespace encryption { @@ -432,6 +433,14 @@ replicated_key_provider_factory::~replicated_key_provider_factory() namespace bfs = std::filesystem; shared_ptr replicated_key_provider_factory::get_provider(encryption_context& ctxt, const options& map) { + static bool did_warn = false; + + if (!std::exchange(did_warn, true)) { + log.warn("ReplicatedKeyProviderFactory is deprecated and will be removed in a future release."); + log.warn("Please consult the Scylla documentation on how to migrate to a supported key provider."); + log.warn("For more info see: {}", doc_link("operating-scylla/security/encryption-at-rest.html")); + } + opt_wrapper opts(map); auto system_key_name = opts(SYSTEM_KEY_FILE).value_or("system_key"); if (system_key_name.find('/') != sstring::npos) { From 52cc30e00cafdd00a1e6f170a5cd175bac456d25 Mon Sep 17 00:00:00 2001 From: Calle Wilund Date: Mon, 1 Dec 2025 09:43:07 +0000 Subject: [PATCH 2/3] ent::encryption: Switch default key provider from replicated to local Since we are deprecating the replicated provider, it makes little sense to have it be default. --- ent/encryption/encryption.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ent/encryption/encryption.cc b/ent/encryption/encryption.cc index ca193a9dbe..e86565c282 100644 --- a/ent/encryption/encryption.cc +++ b/ent/encryption/encryption.cc @@ -319,7 +319,7 @@ public: auto provider_class = opts(KEY_PROVIDER); if (!provider_class) { - provider_class = opts(SECRET_KEY_PROVIDER_FACTORY_CLASS).value_or(REPLICATED_KEY_PROVIDER_FACTORY); + provider_class = opts(SECRET_KEY_PROVIDER_FACTORY_CLASS).value_or(LOCAL_FILE_SYSTEM_KEY_PROVIDER_FACTORY); } if (provider_class->empty() || ::strcasecmp(provider_class->c_str(), "none") == 0) { return {}; From 5f53d7852e04065a65574290320bbd9c95b6fab3 Mon Sep 17 00:00:00 2001 From: Calle Wilund Date: Wed, 26 Nov 2025 13:29:57 +0000 Subject: [PATCH 3/3] docs::encryption: Add warning that replicated provider is deprecated And will be removed. --- .../security/encryption-at-rest.rst | 40 ++++++++++++++----- 1 file changed, 29 insertions(+), 11 deletions(-) diff --git a/docs/operating-scylla/security/encryption-at-rest.rst b/docs/operating-scylla/security/encryption-at-rest.rst index 3429a131d6..c385828225 100644 --- a/docs/operating-scylla/security/encryption-at-rest.rst +++ b/docs/operating-scylla/security/encryption-at-rest.rst @@ -154,7 +154,7 @@ is holding your keys. You can use the following options: * - Local Key Provider - ``LocalFileSystemKeyProviderFactory`` (**default**) - Stores the key on the same machine as the data. - * - Replicated Key Provider + * - Replicated Key Provider (**deprecated**) - ``ReplicatedKeyProviderFactory`` - Stores table keys in a ScyllaDB table where the table itself is encrypted using the system key. @@ -183,13 +183,14 @@ Local Key Provider The Local Key Provider is less safe than other options and as such it is not recommended for production use. It is the default key provider for the - node-local encryption configuration in ``scylla.yaml`` because it does not - require any external resources. In production environments, it is recommended - to use an external KMS instead. + node-local encryption configuration in ``scylla.yaml`` and table encryption + because it does not require any external resources. + In production environments, it is recommended to use an external KMS instead. The Local Key Provider is the default key provider for the node-local encryption configuration in ScyllaDB (``user_info_encryption`` and ``system_info_encryption`` -in ``scylla.yaml``). It stores the encryption keys locally on disk in a text file. +in ``scylla.yaml``) as well as table encryption. +It stores the encryption keys locally on disk in a text file. The location of this file is specified in ``scylla.yaml``, or in the table schema. The user has the option to generate the key(s) themselves, or let ScyllaDB generate the key(s) for them. @@ -210,16 +211,18 @@ Replicated Key Provider .. note:: + **Warning**: The replicated key provider is deprecated and will be removed + in a future ScyllaDB release. + The Replicated Key Provider is not recommended for production use because it does not support key rotation. For compatibility with DataStax Cassandra, it is the default key provider for per-table encryption setup. In production environments, an external KMS should be used instead. -The Replicated Key Provider is the default key provider for per-table encryption -setup in ScyllaDB (``scylla_encryption_options`` in table schema). It stores and -distributes the encryption keys across every node in the cluster through a -special ScyllaDB system table (``system_replicated_keys.encrypted_keys``). The -Replicated Key Provider requires two additional keys to operate: +The Replicated Key Provider stores and distributes the encryption keys across +every node in the cluster through a special ScyllaDB system table +(``system_replicated_keys.encrypted_keys``). The Replicated Key Provider +requires two additional keys to operate: * A system key - used to encrypt the data in the system table. The system key can be either a local key, or a KMIP key. @@ -302,7 +305,7 @@ Depending on your key provider, you will either have the option to allow ScyllaDB to generate an encryption key, or you will have to provide one: * Local Key Provider - you can provide your own keys, otherwise ScyllaDB will generate them for you -* Replicated Key Provider - you must generate a system key yourself +* Replicated Key Provider - you must generate a system key yourself (**deprecated**) * KMIP Key Provider - you can provide your own keys, otherwise ScyllaDB will generate them for you * KMS Key Provider - you must generate a key yourself in AWS * GCP Key Provider - you must generate a key yourself in GCP @@ -432,6 +435,8 @@ desired key provider: You cannot use the same key for both the system key and the local secret key. They must be different keys. + **Warning**: The replicated key provider is deprecated and will be removed in a future ScyllaDB release. + .. group-tab:: KMIP Key Provider The KMIP Key Provider will first try to discover existing keys in the KMIP @@ -994,6 +999,8 @@ in the ``scylla.yaml`` file. The Replicated Key Provider cannot be used in ``user_info_encryption``. You can only use it to :ref:`Encrypt a Single Table `. + **Warning**: The replicated key provider is deprecated and will be removed in a future ScyllaDB release. + .. group-tab:: KMIP Key Provider * Make sure to :ref:`set up a KMIP Host `. @@ -1075,6 +1082,8 @@ in the ``scylla.yaml`` file. The Replicated Key Provider cannot be used in ``user_info_encryption``. You can only use it to :ref:`Encrypt a Single Table `. + **Warning**: The replicated key provider is deprecated and will be removed in a future ScyllaDB release. + .. group-tab:: KMIP Key Provider .. code-block:: yaml @@ -1296,6 +1305,8 @@ This procedure demonstrates how to encrypt a new table. .. group-tab:: Replicated Key Provider + **Warning**: The replicated key provider is deprecated and will be removed in a future ScyllaDB release. + * Ensure you have a system key. The system key can be either a local key, or a KMIP key. If you don't have a system key, create one by following the procedure in :ref:`Create Encryption Keys `. @@ -1397,6 +1408,7 @@ This procedure demonstrates how to encrypt a new table. ; .. group-tab:: Replicated Key Provider + **Warning**: The replicated key provider is deprecated and will be removed in a future ScyllaDB release. .. code-block:: cql @@ -1821,6 +1833,8 @@ Once this encryption is enabled, it is used for all system data. The Replicated Key Provider cannot be used for system encryption. You can only use it to :ref:`Encrypt a Single Table `. + **Warning**: The replicated key provider is deprecated and will be removed in a future ScyllaDB release. + .. group-tab:: KMIP Key Provider * Make sure to :ref:`set up a KMIP Host `. @@ -1902,6 +1916,8 @@ Once this encryption is enabled, it is used for all system data. The Replicated Key Provider cannot be used for system encryption. You can only use it to :ref:`Encrypt a Single Table `. + **Warning**: The replicated key provider is deprecated and will be removed in a future ScyllaDB release. + .. group-tab:: KMIP Key Provider .. code-block:: yaml @@ -2127,6 +2143,8 @@ varies depending on the key provider you are using. The Replicated Key Provider does not support key rotation. If you need to rotate keys, you must migrate to a different key provider. + **Warning**: The replicated key provider is deprecated and will be removed in a future ScyllaDB release. + .. group-tab:: KMIP Key Provider .. DSE docs: https://docs.datastax.com/en/dse/6.9/securing/configure-kmip-encryption.html?#secRekeyKMIP