docs: Data-at-rest encryption in Cube Store and customer-provided keys (CMK) (#8791)

* docs: Data-at-rest encryption in Cube Store and customer-provided keys (CMK)

* .

* Update docs/pages/product/workspace/encryption-keys.mdx

Co-authored-by: Sam Hughes <sam@cube.dev>

* Describe layers

* .

---------

Co-authored-by: Sam Hughes <sam@cube.dev>

Author: igorlukanin

docs/pages/product/caching/running-in-production.mdx

@@ -221,27 +221,41 @@ Cube Store cluster uses both persistent and scratch storage.
 Cube Store makes use of a separate storage layer for storing metadata as well as
 for persisting pre-aggregations as Parquet files.
 
-Cube Store [can be configured][ref-config-env] to use either AWS S3 or
-Google Cloud Storage (GCS) as persistent storage. If desired, local path on
+Cube Store can be configured to use either AWS S3, Google Cloud Storage (GCS), or
+Azure Blob Storage as persistent storage. If desired, a local path on
 the server can also be used in case all Cube Store cluster nodes are
 co-located on a single machine.
 
 <InfoBox>
 
-Cube Store can only use one type of remote storage at runtime.
+Cube Store can only use one type of remote storage at the same time.
 
 </InfoBox>
 
 <WarningBox>
 
-Cube Store requires strong consistency guarantees from underlying distributed
-storage. AWS S3, Google Cloud Storage, and Azure Blob Storage (Cube Cloud only)
-are the only known implementations that provide strong consistency. Using other
-implementations in production is discouraged and can lead to consistency and
-data corruption errors.
+Cube Store requires strong consistency guarantees from an underlying distributed
+storage. AWS S3, Google Cloud Storage, and Azure Blob Storage are the only known
+implementations that provide them. Using other implementations in production is
+discouraged and can lead to consistency and data corruption errors.
 
 </WarningBox>
 
+<SuccessBox>
+
+Using Azure Blob Storage with Cube Store is only supported in Cube Cloud on
+[Enterprise and above plans](https://cube.dev/pricing).
+
+</SuccessBox>
+
+<InfoBox>
+
+As an additional layer on top of standard AWS S3, Google Cloud Storage (GCS), or
+Azure Blob Storage encryption, persistent storage can optionally use [Parquet
+encryption](#data-at-rest-encryption) for data-at-rest protection.
+
+</InfoBox>
+
 A simplified example using AWS S3 might look like:
 
 ```yaml
@@ -313,10 +327,37 @@ should be built before any tables are removed.
 
 ## Security
 
-Cube Store currently does not have any in-built authentication mechanisms. For
-this reason, we recommend running your Cube Store cluster on a network that only
-allows requests from the Cube deployment.
+### Authentication
+
+Cube Store does not have any in-built authentication mechanisms. For this reason,
+we recommend running your Cube Store cluster with a network configuration that
+only allows access from the Cube deployment.
+
+### Data-at-rest encryption
+
+[Persistent storage](#persistent-storage) is secured using the standard AWS S3,
+Google Cloud Storage (GCS), or Azure Blob Storage encryption.
+
+Cube Store also provides optional data-at-rest protection by utilizing the
+[modular encryption mechanism][link-parquet-encryption] of Parquet files in its
+persistent storage. Pre-aggregation data is secured using the [AES cipher][link-aes]
+with 256-bit keys. Data encyption and decryption are completely seamless to Cube
+Store operations.
+
+<SuccessBox>
+
+Data-at-rest encryption in Cube Store is only available in Cube Cloud on
+[Enterprise and above plans](https://cube.dev/pricing).
+
+</SuccessBox>
+
+You can provide, rotate, or drop your own [customer-managed keys][ref-cmk] (CMK)
+for Cube Store via the <Btn>Encryption Keys</Btn> page in Cube Cloud.
+
 
 [link-wsl2]: https://docs.microsoft.com/en-us/windows/wsl/install-win10
 [ref-caching-partitioning]: /product/caching/using-pre-aggregations#partitioning
 [ref-config-env]: /reference/configuration/environment-variables
+[link-parquet-encryption]: https://parquet.apache.org/docs/file-format/data-pages/encryption/
+[link-aes]: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
+[ref-cmk]: /product/workspace/encryption-keys

docs/pages/product/workspace.mdx

@@ -37,6 +37,8 @@ metrics to external monitoring tools.
   Cube Cloud account and [single sign-on][ref-sso].
 - Use [Audit Log][ref-audit-log] to review security-related events in your
 Cube Cloud account.
+- Use the [encryption keys][ref-encryption-keys] page to manage [data-at-rest
+encryption in Cube Store][ref-cube-store-encryption].
 - Use [Budgets][ref-budgets] to control the usage and spend of your Cube
   Cloud account.
 - Use [Preferences][ref-prefs] to adjust the workspace to your liking.
@@ -74,3 +76,5 @@ With Cube Core, you can:
 [ref-cli]: /product/workspace/cli
 [ref-ai-assistant]: /product/workspace/ai-assistant
 [ref-semantic-catalog]: /product/workspace/semantic-catalog
+[ref-encryption-keys]: /product/workspace/encryption-keys
+[ref-cube-store-encryption]: /product/caching/running-in-production#data-at-rest-encryption

docs/pages/product/workspace/_meta.js

@@ -14,6 +14,7 @@ module.exports = {
   "access-control": "Access Control",
   "sso": "Single Sign-on",
   "audit-log": "Audit Log",
+  "encryption-keys": "Encryption keys",
   "budgets": "Budgets",
   "preferences": "Preferences",
   "cli": "CLI",

docs/pages/product/workspace/encryption-keys.mdx

@@ -0,0 +1,89 @@
+# Encryption keys
+
+The <Btn>Encryption Keys</Btn> page in Cube Cloud allows to manage [data-at-rest
+encryption in Cube Store][ref-cube-store-encryption].
+
+<SuccessBox>
+
+Data-at-rest encryption in Cube Store is only available in Cube Cloud on
+[Enterprise and above plans](https://cube.dev/pricing).
+
+</SuccessBox>
+ 
+Navigate to <Btn>Settings → Encryption Keys</Btn> in your Cube Cloud deployment
+to [provide](#add-a-key), [rotate](#rotate-a-key), or [drop](#drop-a-key)
+your own customer-managed keys (CMK) for Cube Store.
+
+## Customer-managed keys for Cube Store
+
+On the <Btn>Encryption Keys</Btn> page, you can see all previously provided keys:
+
+<Screenshot src="https://ucarecdn.com/48038ac1-fdf1-4c87-8860-ac503bfcdac3/" />
+
+### Add a key
+
+To add an encryption key, click <Btn>Create</Btn> to open a modal window.
+Provide the key name and the key value: an 256-bit AES encryption key, encoded
+in [standard Base64][link-base64] in its canonical representation.
+
+<Screenshot src="https://ucarecdn.com/9338679e-9ed0-4ac2-86a8-975e08699c34/" />
+
+**Once the first encryption key is added, Cube Store will assume that data-at-rest
+encryption is enabled.** After that, querying unencrypted pre-aggregation partitions
+will yield the following error: `Invalid Parquet file in encrypted mode. File (or
+at least the Parquet footer) is not encrypted`.
+
+<InfoBox>
+
+It may take a few minutes for any changes to encryption keys to take effect.
+
+</InfoBox>
+
+After the refresh worker builds or rebuilds pre-aggregation partitions with
+respect to their [refresh strategy][ref-pre-aggs-refresh-strategy] or after they
+are [built manually][ref-pre-aggs-build-manually], their data will be encrypted.
+
+**For encryption, the most recently added encryption key is used.** For decryption,
+all previously provided keys can be used, if there are still any pre-aggregation
+partitions encrypted with those keys.
+
+### Rotate a key
+
+To rotate an encryption key, you have to [add a new key](#add-a-key) and then
+rebuild pre-aggregation partitions using this key, either by the means of the
+refresh worker, or manually.
+
+You can check which encryption key is used by any pre-aggregation partition by
+querying `system.tables` in Cube Store via [SQL Runner][ref-sql-runner]:
+
+<Screenshot src="https://ucarecdn.com/017ca9d6-e8d2-4896-9324-1bec38aaa621/" />
+
+<WarningBox>
+
+Only newly built or rebuilt pre-aggregation partitions will be encrypted using the
+newly added encryption key. Previously built partitions will still be encrypted
+using previously provided keys. If you [drop a key](#drop-a-key) before these
+partitions are rebuilt, querying them will yield an error.
+
+</WarningBox>
+
+<InfoBox>
+
+If you're using [incremental pre-aggregations][ref-pre-aggs-incremental], the
+refresh worker will likely only rebuild some of their partitions. You have to [rebuild
+them manually][ref-pre-aggs-build-manually] to ensure that the new encryption key
+is used.
+
+</InfoBox>
+
+### Drop a key
+
+To drop an encryption key, click <Btn>Delete</Btn> next to it.
+
+
+[ref-cube-store-encryption]: /product/caching/running-in-production#data-at-rest-encryption
+[link-base64]: https://datatracker.ietf.org/doc/html/rfc4648#section-4
+[ref-pre-aggs-refresh-strategy]: /product/caching/using-pre-aggregations#refresh-strategy
+[ref-pre-aggs-build-manually]: /product/workspace/pre-aggregations
+[ref-pre-aggs-incremental]: /reference/data-model/pre-aggregations#incremental
+[ref-sql-runner]: /product/workspace/sql-runner