Volume encryption with AWS KMS

Encryption at rest can be achieved on AWS with encrypted volumes with KMS keys

Create a KMS Key

From the AWS Console, go the the IAM Service, then select the left hand side menu Encryption Keys.

Create a new key with the following details:

  • Alias: core-nex-uat or core-nex-prd
  • Description: Encryption for Nex! volumes
  • Key material origin: KMS
  • Tags: environment => uat
  • Key Admins: gapps-superadmin, gapps-poweruser
  • Key usage: mcluster_dev, gapps-superadmin, gapps-poweruser

Configure Nex! Orchestrator

The KMS key ARN must be set in the Nex! configuration. Get the ARN from the AWS Console key details (eg: arn:aws:kms:us-east-1:681271161082:key/50997aaf-7603-421f-8514-4e758738eeb7)

In Nex! configuration, set the parameters volume_encryption_key_id per region:

compute:
  lxc:
    ...
    encrypted: true
    volume_encryption_key_id: 
      southeast-1: arn:aws:kms:ap-southeast-1:681271161082:key/53bd91c9-0156-4e1a-b9b3-6789052078fc
    ...
  docker:
    ...
    encrypted: true
    volume_encryption_key_id: 
      southeast-1: arn:aws:kms:ap-southeast-1:681271161082:key/53bd91c9-0156-4e1a-b9b3-6789052078fc
    ...