Key Management Service (KMS) is a managed service that makes it easy for you to create and control encryption keys used to encrypt your data. It is available across a number of the AWS offerings, including Elastic Block Store (EBS) and Relational Database Service (RDS) - and these are the services relevant when working with Dbvisit Replicate.
This is key:
When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted:
- Data at rest inside the volume
- All data moving between the volume and the instance
- All snapshots created from the volume
The encryption occurs on the servers that host EC2 instances, providing encryption of data-in-transit from EC2 instances to EBS storage.
When creating an EC2 instance with an EBS volume attached it can be encrypted with KMS, and when selecting encryption as an option for RDS, AWS will enable KMS encryption on the EBS volume which is created for this database. In either case:
You can access encrypted volumes the same way that you access existing volumes; encryption and decryption are handled transparently and they require no additional action from you, your EC2 instance,
or your application.
We have tested out both EC2 and RDS configurations with Dbvisit Replicate version 2.8 on AWS, utlizing KMS, and it works without issue. As stated this encryption is transparent to the application, and does not affect the replication itself.
Some additional notes to be aware of when working with KMS:
- KMS keys are region-specific and cannot be shared across regions
- Amazon EBS encryption is not available on all instance types, so please consult the documentation to check whether a particular instance type is
- There is no direct way to encrypt an existing unencrypted volume, or to remove encryption from an encrypted volume. However, you can migrate data between encrypted and unencrypted volumes, and you can apply encryption while copying the encrypted snapshot of an unencrypted volume
- You can create an encrypted boot volume by using the "Copy Image" function for an AMI, which enables you to specify a Master Key for the encryption, if selected. For more see here.