Clusters or data centres running on AWS can have storage encrypted at rest with a customer managed AWS KMS key. This will encrypt both your EBS volumes and S3 backups for EBS backed instances, or the S3 backups for local storage nodes. Creating a cluster with a customer managed KMS key requires the following steps to set up.
1. Adding a KMS Key to the Instaclustr Platform
The first thing we need to do is add a customer managed key to the Instaclustr Management Platform – The steps required will differ depending on whether or not you are creating a Run in Instaclustr’s Account (RIIA) or Run in Your Own Account (RIYOA) data centre.
2. Creating a cluster using EBS Encryption
Once you have added the KMS Key to the Instaclustr platform, you will now be able to provision new clusters using your specified key.
- The workflow for creating clusters using EBS Encryption is similar to our normal create cluster workflow, however on the “Data Centre” section of the wizard, and region as the desired KMS Key.
Note – for customers who have Run in Your Own Account (RIYOA) provisioning enabled, you will also need to ensure you have selected the correct provider in the drop down.
- Then enable the At Rest EBS Encryption option and select an EBS encryption key from the dropdown. The keys listed will be those that have been previously added and are in the same region as the data centre being requested.
- Finish the Create a Cluster or Add a Data Centre process to provision the encrypted data centre. That’s it! Encryption and decryption will be handled transparently by AWS’ Key Management Service, so use the data centre as you would if it were free from encryption.
Enabling Encryption on an Existing Cluster
Most clusters will require a migration effort to move to encrypted EBS.
Set up your AWS Encryption keys as per the process above, and contact Instaclustr Support to request this change on your existing cluster.
For more information regarding Amazon’s encryption service see: