Datacenters running on Amazon's EBS infrastructure can be encrypted with an AWS KMS key. This will encrypt both your EBS volumes and S3 backups. This involves a few steps to set up:
In your AWS account:
1. Go to IAM → Encryption Keys
2. Create/view an AWS Encryption Key in the datacenter's intended region.
3. Add Instaclustr's account (624537489435) as an External Account
In your Instaclustr account:
4. Go to Account → Encryption Keys → Add Key
- You'll need the AWS key's ARN, found in the key's details after key creation.
- The alias will identify this key in other parts of the Instaclustr console.
- Select an EBS-based Node Size, and
- Select a key from the dropdown.
The keys listed will be those that have been previously added and are in the same region as the datacenter being requested.
6. Finish the create a cluster or add a datacenter process to provision the encrypted datacenter.
That's it! Encryption and decryption will be handled transparently by AWS' Key Management Service, so use the datacenter like you would a datacenter with no encryption.
For more information regarding Amazon's encryption service see
- Share Custom Encryption Keys More Securely Between Accounts by Using AWS Key Management Service
- Amazon EBS Encryption
Enabling this feature on existing cluster
Most clusters will require a DC migration to move to encrypted EBS.
Set up your AWS Encryption keys as per the process above, and email email@example.com and request to add this on your existing cluster.
We are available to provide additional information and guide you through this process. Please email firstname.lastname@example.org or raise a new ticket.