Datacenters running on Amazon's EBS infrastructure can be encrypted with an AWS KMS key. This will encrypt both your EBS volumes and S3 backups. This involves a few steps to set up:
In your AWS account:
1. Go to IAM → Encryption Keys
2. Create/view an AWS Encryption Key in the datacenter's intended region.
3. At this stage, you need to grant key access to a role you created earlier. Details on how to set up this role are in the Instaclustr AWS Setup Guide, in 'Configure IAM role for cross-account access'. By default, the role is called 'instaclustr'.
In the 'Key users' section, under 'This account', add this role.
4. Add Instaclustr's account (624537489435) as an External Account.
In your Instaclustr account:
1. Go to Account → Encryption Keys to add encryption keys.
- You'll need the AWS key's ARN, found in the key's details after key creation.
- The alias will identify this key in other parts of the Instaclustr console.
- Select an EBS-based Node Size, and
- Under EBS Encryption, select Encrypt data at rest and select a key from the dropdown. The keys listed will be those that have been previously added and are in the same region as the datacenter being requested.
3. Finish the create a cluster or add a datacenter process to provision the encrypted datacenter.
That's it! Encryption and decryption will be handled transparently by AWS' Key Management Service, so use the datacenter as you would with a datacenter of no encryption.
For more information regarding Amazon's encryption service see
- Share Custom Encryption Keys More Securely Between Accounts by Using AWS Key Management Service
- Amazon EBS Encryption
Enabling this feature on existing cluster
Most clusters will require a DC migration to move to encrypted EBS.
Set up your AWS Encryption keys as per the process above, and email firstname.lastname@example.org to request adding this on your existing cluster.
We are available to provide additional information and guide you through this process. Please email email@example.com or raise a new ticket.