From cf5b00a7a1b9fafa0b264512a19418afaf34b65f Mon Sep 17 00:00:00 2001 From: Leticia Webb Date: Fri, 12 Jun 2026 14:30:44 -0700 Subject: [PATCH 1/3] Remove CMEK v1 migration page --- .../guides/security/05_cmek_migration.md | 104 ------------------ 1 file changed, 104 deletions(-) delete mode 100644 docs/cloud/guides/security/05_cmek_migration.md diff --git a/docs/cloud/guides/security/05_cmek_migration.md b/docs/cloud/guides/security/05_cmek_migration.md deleted file mode 100644 index aff44be6f14..00000000000 --- a/docs/cloud/guides/security/05_cmek_migration.md +++ /dev/null @@ -1,104 +0,0 @@ ---- -sidebar_label: 'Legacy CMEK migration' -slug: /cloud/security/cmek-migration -title: 'Migrating from CMEK v1 to v2' -description: 'Migration instructions to move from legacy CMEK to version 2' -doc_type: 'guide' -keywords: ['ClickHouse Cloud', 'encryption', 'CMEK'] ---- - -We're improving the security of customer managed encryption keys (CMEK) services. All services are now configured with a unique AWS role per service to authorize using customer keys to encrypt and decrypt services. This new role is only shown in the service configuration screen. - -OpenAPI and Terraform are both supported for this new process. For more information, check out our docs ([Enhanced Encryption](/docs/cloud/security/cmek), [Cloud API](/docs/cloud/manage/api/api-overview), [Official Terraform Provider](https://registry.terraform.io/providers/ClickHouse/clickhouse/latest/docs)). - -:::warning -Customers utilizing CMEK v1 must migrate services no later than June 1st, 2026. After this date customer managed keys will be rotated to ClickHouse managed keys by default. Customers may rotate back to customer managed keys after the default migration. -::: - -## Manual migration {#manual-migration} - -Complete the following steps to migrate to the new process: -1. Sign in to https://console.clickhouse.cloud -2. Click on the encrypted service -3. Click on Service Settings on the left -4. Scroll to the bottom of the screen and expand View service details -5. Copy the Encryption Role ID (IAM) -6. Go to your KMS key in AWS and update the Key Policy to add the following: -```json -{ - "Sid": "Allow ClickHouse Access", - "Effect": "Allow", - "Principal": { - "AWS": ["Encryption role ID (ARN)"] - }, - "Action": [ - "kms:Encrypt", - "kms:Decrypt", - "kms:ReEncrypt*", - "kms:DescribeKey" - ], - "Resource": "*" -} -``` -7. In ClickHouse Cloud, open a support case to let us know we can enable the new method. This change requires a service restart, please let us know if there is a day/ time that is best to restart the service. -8. Once we restart the service, go to your KMS key in AWS and remove the following from the Key Policy: -```json -{ - "Sid": "Allow ClickHouse Access", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::576599896960:role/prod-kms-request-role" - }, - "Action": ["kms:GetPublicKey", - "kms:Decrypt", - "kms:GenerateDataKeyPair", - "kms:Encrypt", - "kms:GetKeyRotationStatus", - "kms:GenerateDataKey", - "kms:DescribeKey"], - "Resource": "*" -} -``` -9. The update is complete! - -## Terraform migration {#terraform-migration} -1. Update to [Terraform version 3.5.0 or higher](https://registry.terraform.io/providers/ClickHouse/clickhouse/latest/docs) -2. Apply Terraform without changes. A new field for transparent_data_encryption will appear in the Terraform state. Make note of the role_id here. -3. Go to your KMS key in AWS and update the Key Policy to add the following: -```json -{ - "Sid": "Allow ClickHouse Access", - "Effect": "Allow", - "Principal": { - "AWS": ["Encryption role ID (ARN)"] - }, - "Action": [ - "kms:Encrypt", - "kms:Decrypt", - "kms:ReEncrypt*", - "kms:DescribeKey" - ], - "Resource": "*" -} -``` -4. In ClickHouse Cloud, open a support case with the service name to let us know we can enable the new method. This change requires a service restart, please let us know if there is a day/ time that is best to restart the service. -5. After we restart the service, you can update the transparent_data_encryption.enabled setting to ‘True’ and remove the tier setting in Terraform and apply. This will result in no changes. -6. Go to your KMS key in AWS and remove the following from the Key Policy: -```json -{ - "Sid": "Allow ClickHouse Access", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::576599896960:role/prod-kms-request-role" - }, - "Action": ["kms:GetPublicKey", - "kms:Decrypt", - "kms:GenerateDataKeyPair", - "kms:Encrypt", - "kms:GetKeyRotationStatus", - "kms:GenerateDataKey", - "kms:DescribeKey"], - "Resource": "*" -} -``` -7. The update is complete! From 181251a56ee8cf409db5e830f24b027bdf52f191 Mon Sep 17 00:00:00 2001 From: Leticia Webb Date: Fri, 12 Jun 2026 14:41:42 -0700 Subject: [PATCH 2/3] Add redirect URL for the deleted page --- vercel.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/vercel.json b/vercel.json index 98bdb425210..6548ef9e45d 100644 --- a/vercel.json +++ b/vercel.json @@ -3882,6 +3882,10 @@ "source": "/docs/integrations/pg_clickhouse/reference", "destination": "/docs/cloud/managed-postgres/extensions/pg_clickhouse/reference", "permanent": true - } + }, + { + "source": "/docs/cloud/security/cmek-migration", + "destination": "/docs/cloud/security/cmek", + "permanent": true} ] } From 93e81c6c881528c2fedc073ebcabc3090f57f6b3 Mon Sep 17 00:00:00 2001 From: Dominic Tran Date: Fri, 12 Jun 2026 17:17:33 -0500 Subject: [PATCH 3/3] finor formatting fix --- vercel.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/vercel.json b/vercel.json index 6548ef9e45d..1f6a70bd3d2 100644 --- a/vercel.json +++ b/vercel.json @@ -3886,6 +3886,7 @@ { "source": "/docs/cloud/security/cmek-migration", "destination": "/docs/cloud/security/cmek", - "permanent": true} + "permanent": true + } ] }