Setting Up a Datacenter with EBS Encryption

Datacenters running on Amazon's EBS infrastructure can be encrypted with an AWS KMS key. This will encrypt both your EBS volumes and S3 backups.  This involves a few steps to set up:

In your AWS account:

1. Go to IAM → Encryption Keys

IAM_Management_Console.png

2. Create/view an AWS Encryption Key in the datacenter's intended region.

3. Add Instaclustr's account (624537489435) as an External Account

adding_external_accounts.png

 

 

In your Instaclustr account:

1. Go to Account → Encryption Keys to add encryption keys.

  • You'll need the AWS key's ARN, found in the key's details after key creation.
  • The alias will identify this key in other parts of the Instaclustr console.

instaclustr_01.png

2. In the Create a cluster or Add a datacenter page:

  • Select an EBS-based Node Size, and

instaclustr_02.png

 

  • Under EBS Encryption, select Encrypt data at rest and select a key from the dropdown. The keys listed will be those that have been previously added and are in the same region as the datacenter being requested.

instaclustr_03.png

3. Finish the create a cluster or add a datacenter process to provision the encrypted datacenter.

That's it! Encryption and decryption will be handled transparently by AWS' Key Management Service, so use the datacenter as you would with a datacenter of no encryption.

For more information regarding Amazon's encryption service see

Enabling this feature on existing cluster

Most clusters will require a DC migration to move to encrypted EBS. 

Set up your AWS Encryption keys as per the process above, and email support@instaclustr.com to request adding this on your existing cluster. 

Further Questions

We are available to provide additional information and guide you through this process. Please email support@instaclustr.com or raise a new ticket. 

 

Last updated:
If you have questions regarding this article, feel free to add it to the comments below.

0 Comments

Please sign in to leave a comment.