Configuring encryption for Data Hub's EBS volumes on AWS

You can configure encryption for Amazon Elastic Block Store (EBS) volumes used by the Data Hub cluster's VM instances to store data.

Amazon offers the option to encrypt EBS volumes and RDS instances using the default key from Amazon's Key Management System (KMS) or using an external customer-managed KMS (CMK). By default, Data Hubs use the same default key from Amazon’s KMS or CMK as the parent environment but you have an option to pass a different CMK during Data Hub creation.

Encryption is configured for block devices and root devices. When encryption is configured for a given cluster, it is automatically applied to all the disk devices of any new VM instances added as a result of cluster scaling or repair.

Environment and Data Hub encryption options

To learn about encryption options that CDP offers for Data Lake, FreeIPA, and Data Hubs, refer to Environment and Data Hub encryption options.

AWS prerequisites for using a CMK

You can use your existing AWS CMK or create a new AWS CMK. For detailed requirements, refer to AWS Requirements: Customer managed encryption keys.

Create a Data Hub with encrypted EBS volumes

EBS encryption can be configured for a Data Hub cluster on the Hardware and Storage page of the advanced create cluster wizard in the CDP web interface.

Note the following:
  • If you previously configured encryption on environment level, the CMK that was provided will be used by default for all Data Hubs running in that environment. You can overwrite it for a specific Data Hub by providing another CMK during Data Hub creation. If no CMK was provided during environment registration, a default key from Amazon’s KMS is used by default to encrypt Data Hubs running in this environment. See Adding a customer managed encryption key to a CDP environment running on AWS.
  • During Data Hub creation, you can specify an encryption key Customer Managed Key (CMK).
  • The Encryption configuration option is available per Data Hub host group. The default setting is Encryption: Not encrypted. To enable encryption, perform the following steps in the create cluster wizard for all host groups for which you would like to use encryption.
  1. Under Instance Type you can see Encryption Supported next to all instance types for which encryption is supported. Ensure that encryption is supported for the instance type that you would like to use.
  2. Click on the icon next to the chosen host group.
  3. Enable the Enable Customer-Managed Keys toggle button.
  4. Under Select Encryption key, select the CMK that you would like to use.
Once the cluster is running, you can confirm that encryption is enabled by navigating to the details of the block devices or root devices in the EC2 console on AWS. The device should be marked as “Encrypted” and the “KMS Key ARN” is listed.