AWS KMS
Portworx integrates with AWS Key Management Service (KMS) to generate and manage data encryption keys. This topic explains how to deploy a Portworx cluster that connects to an AWS KMS endpoint. The data keys generated by AWS KMS are then used to encrypt Portworx volumes, ensuring secure data-at-rest encryption.
AWS KMS authentication details
Following are the authentication details required by Portworx to use the AWS KMS service:
-
AWS Access Key [AWS_ACCESS_KEY_ID] [required]
AWS Access Key ID of the account which has permissions to access KMS APIs
-
AWS Secret Key [AWS_SECRET_ACCESS_KEY] [required]
AWS Secret Access Key of the account which has permissions to access KMS APIs
-
AWS Secret Token Key [AWS_SECRET_TOKEN_KEY] [optional]
AWS Secret Token Key (if configured) of the account which has permissions to access KMS APIs
-
AWS KMS key [AWS_CMK] [required]
AWS KMS key. The CMK can be found out from AWS's resource ARN. Here is an example ARN for CMK:
arn:aws:kms:us-east-1::key/<cmk-id>It specifies that the ARN is for the
kmsservice forus-east-1region. The trailing ID at the end of ARN is the actual CMK that needs to be provided to Portworx through theAWS_CMKfield. -
AWS Region of the CMK [AWS_REGION] [required]
The AWS region to which the CMK is associated to. CMKs are region specific and cannot be used across regions.
Configure AWS KMS with Portworx
You can configure Portworx to authenticate with AWS using one of the following methods:
Using AWS environment variables
Portworx can authenticate with AWS using AWS SDK’s EnvProvider. To authenticate Portworx using AWS environment variables, follow these steps:
-
Sign in to the Portworx Central console.
The system displays the Welcome to Portworx Central! page. -
In the Portworx Enterprise section, select Generate Cluster Spec.
The system displays the Generate Portworx Enterprise Spec page. -
From the Portworx Version dropdown menu, select the Portworx version to install.
-
From the Platform dropdown menu, select AWS.
-
From the Distribution Name dropdown menu, select the distribution.
-
Click Customize.
-
Complete the required configuration in the Basic, Storage, Network, and Deployment tabs.
-
In the Deployment tab, under the Environment Variables section, enter all the AWS environment variables mentioned in AWS KMS authentication details.
-
From the Default Secret Store Type dropdown menu, select AWS KMS.
Using AWS EC2 Role Credentials
Portworx can authenticate with AWS using AWS SDK’s EC2RoleCredentials Provider.
For information on how to create an EC2 role, see these instructions. Ensure that you provide the following access to KMS in your policy associated with EC2 role.
Here is a sample AWS Policy that gives access to KMS:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1490047200000",
"Effect": "Allow",
"Action": [
"kms:*"
],
"Resource": [
"arn:aws:kms:us-east-1:<aws-id>:key/<key-id>"
]
}
]
}
Apply EC2 role to all the AWS instances where Portworx will be running.
Along with the EC2 role you will still need to provide AWS_CMK and AWS_REGION either through config.json or as environment variables. To provide them through config.json, add the following section to the config.json on all the nodes
cat /etc/pwx/config.json
{
"clusterid": "<cluster-id>",
"secret": {
"secret_type": "aws-kms",
"aws": {
"AWS_CMK": "your-aws-kms-key-id",
"AWS_REGION": "you-aws-region-to-which-this-cmk-belongs"
}
}
...
}
Using AWS KMS with Portworx
To use AWS KMS with Portworx, proceed to one of the below sections.