Setting Up a Datacenter with EBS Encryption
Datacenters running on Amazon’s EBS infrastructure can be encrypted with an AWS KMS key. This will encrypt both your EBS volumes and S3 backups. This involves a few steps to set up:
In your AWS account:
- Go to key management service and click on Create a Key
- Follow the AWS wizard to create an AWS Encryption Key in the datacenter’s intended region. Make sure to add the AWS account ID (e.g. Your Provider account) that this key would grant access to. In the example below it gives access to Instaclustr’s account (003793401444) as an External Account.
In the Instaclustr console,
- Navigate to Cluster Resources -> Encryption Keys by clicking on the gear icon at the top right hand corner.
- You’ll need the AWS key’s ARN, found in the key’s details after key creation.
- The alias will identify this key in other parts of the Instaclustr console. When you have entered an alias, the AWS key’s ARN, and the Instaclustr account with which you want to associate the key, click on Add Key to add the key to your account.
- When you Create a Cluster or Add a Data Center to an existing cluster, you will now have the option to enable EBS encryption. On the Data Center section of the wizard, enable the At Rest EBS Encryption option and select an EBS encryption key from the dropdown. The keys listed will be those that have been previously added and are in the same region as the datacenter being requested.
- Finish the Create a Cluster or Add a Data Center process to provision the encrypted data center. That’s it! Encryption and decryption will be handled transparently by AWS’ Key Management Service, so use the datacenter as you would with a datacenter of no encryption.
For more information regarding Amazon’s encryption service see:
- Share Custom Encryption Keys More Securely Between Accounts by Using AWS Key Management Service
- Amazon EBS Encryption
Enabling this feature on existing cluster
Most clusters will require a DC migration to move to encrypted EBS.
Set up your AWS Encryption keys as per the process above, and email [email protected] to request adding this on your existing cluster.
We are available to provide additional information and guide you through this process. Please email [email protected] or raise a new ticket.