Encryption for EBS volumes on AWS

Configure encryption for Amazon Elastic Block Store (EBS) volumes used by the cluster's VM instances to store data.

As described in Amazon EBS encryption, Amazon offers an option to encrypt EBS volumes. When configuring encryption for EBS volumes used by the cluster's VM instances to store data, Amazon's Key Management System (KMS) or external KMS generated keys can be used.

Since an encryption key must be specified for each host group, it is possible to either have one encryption key for multiple host groups or to have a separate encryption key for each host group. Once enabled, encryption is configured for the following disk types:

  • Block devices
  • Root devices

Once the encryption is configured for a given host group, it is automatically applied to any new devices added as a result of cluster scaling.

In order to configure EBS encryption:

  • Your cloud credential must have the minimum access permissions.
  • Your encryption key must fulfill the required criteria.
  • When creating a cluster, you must explicitly select an existing encryption key for each host group on which you would like to configure EBS volume encryption.