How to Enable Encryption at Rest in ClickHouse

How do I enable disk-level encryption at rest in ClickHouse?

Encryption at rest in ClickHouse secures on-disk data by storing it on encrypted disks or volumes, protecting sensitive information if physical storage is compromised.

Welcome to the Galaxy, Guardian!

Oops! Something went wrong while submitting the form.

Description

What does “encryption at rest” mean in ClickHouse?

ClickHouse supports file-system level encryption through the Encrypted disk type. All data written to this disk is transparently encrypted with AES-256-CTR and salted HMAC for integrity.

How do I declare an encrypted disk in the config?

Add a <disk> section inside storage_configuration in config.xml.Provide the path, optional cache size, and a 256-bit hex key or an environment variable reference.

<disk name="encrypted_disk" type="encrypted">
<path>/var/lib/clickhouse/encrypted/</path>
<encryption_key/>${CLICKHOUSE_KEY}</encryption_key>
</disk>

How can I create a volume that uses the encrypted disk?

Define a <volume> element that lists the encrypted disk. The volume can include multiple disks for redundancy.

<volume name="secure_volume">
<disk>encrypted_disk</disk>
</volume>

How do I create tables on the encrypted volume?

Specify the volume in the ON VOLUME clause while creating a table or use ALTER TABLE ...MOVE PARTITION.

Example

CREATE TABLE Orders (
id UInt64,
customer_id UInt64,
order_date Date,
total_amount Decimal(12,2)
) ENGINE = MergeTree()
ORDER BY id
ON VOLUME secure_volume;

How do I rotate the encryption key?

Change the key in config.xml, restart ClickHouse, and run SYSTEM DISK ENCRYPTION ROTATE KEY encrypted_disk to re-encrypt existing data.

Best practices for encrypted ClickHouse deployments

Store keys in a hardware security module or secrets manager.
Restrict config.xml permissions to the clickhouse user.
Enable TLS for in-transit encryption to complement at-rest security.
Use separate volumes for hot and cold data to limit performance impact.

Can I combine S3 storage with encryption at rest?

Yes.Create an S3Encrypted disk or enable server-side encryption in your bucket. Specify the disk in a volume just like a local encrypted disk.

Performance impact questions

AES-NI hardware acceleration keeps overhead <5 %. Benchmark with production workloads to tune read/write thread pools and cache sizes.

Why How to Enable Encryption at Rest in ClickHouse is important

How to Enable Encryption at Rest in ClickHouse Example Usage


-- Encrypt historical Orders and OrderItems tables
aLTER TABLE Orders MOVE PARTITION '2023-01' TO DISK encrypted_disk;
ALTER TABLE OrderItems MOVE PARTITION '2023-01' TO VOLUME secure_volume;

How to Enable Encryption at Rest in ClickHouse Syntax


-- Add encrypted disk in config.xml
<storage_configuration>
  <disk name="encrypted_disk" type="encrypted">
    <path>/var/lib/clickhouse/encrypted/</path>
    <encryption_key>${CLICKHOUSE_KEY}</encryption_key>  -- 64-char hex or env var
    <path_to_key_file>/keys/clickhouse.key</path_to_key_file>  -- optional
    <cipher>AES_256_CTR</cipher>  -- default
  </disk>
  <volume name="secure_volume">
    <disk>encrypted_disk</disk>
  </volume>
</storage_configuration>

-- SQL helper commands
SYSTEM DISK ENCRYPTION ROTATE KEY encrypted_disk;
SYSTEM DISK ENCRYPTION VALIDATE encrypted_disk;

-- Place a table on the encrypted volume
CREATE TABLE Orders (
  id UInt64,
  customer_id UInt64,
  order_date Date,
  total_amount Decimal(12,2)
) ENGINE = MergeTree() ORDER BY id ON VOLUME secure_volume;

Common Mistakes

Storing the encryption key in plain text inside config.xml. Fix: reference an environment variable or external key file with restricted permissions.
Creating the table before defining the encrypted disk. Fix: declare disks and volumes first, then create or move tables onto them.