Configuring Amazon EBS Encryption
Page last updated:
Pivotal Cloud Foundry (PCF) supports Amazon Elastic Block Store (EBS) Encryption for PCF deployments on AWS. Amazon EBS Encryption allows operators to use full disk encryption for all persistent disks on BOSH-deployed VMs. You can use this feature to meet data-at-rest encryption requirements or as a security best practice.
There is no performance penalty for using encrypted EBS volumes. Pivotal advises all users of PCF on AWS to check this box.
How to Enable EBS Encryption
Click the Ops Manager Director tile.
Select AWS Config to open the AWS Management Console Config page.
Select Encrypt EBS Volumes.
Note: Encrypt EBS Volumes is a global setting. When selected, Encrypt EBS Volumes enables encryption on all VMs deployed by BOSH for all product tiles.
Click Save, and then return to the Installation Dashboard.
In Op Manager, click Apply Changes and review any reported errors. The following error message lists jobs that cannot be encrypted due to unsupported instance types.
If you find a job that should be encrypted in the error list, modify the instance type for that job in the Resource Config page of the Elastic Runtime. Select an instance type that supports encryption. Pivotal recommends using
After you make your changes in Elastic Runtime, return to Ops Manager and click Apply Changes.
The next BOSH deploy encrypts all persistent disks on all BOSH-deployed VMs. If you have already deployed VMs with unencrypted EBS volumes, BOSH copies over all the data on those unencrypted EBS volumes to new encrypted volumes and discards the old volumes.
If you deselect Encrypt EBS Volumes later and then redeploy, BOSH overwrites all EBS volumes with unencrypted volumes.
Using EBS Encryption is subject to the following limitations:
- Ops Manager is not encrypted.
- PCF does not support Amazon EBS Encryption for the following AWS instance types:
Note: PCF will remove this limitation in a future release.
- Ephemeral disks are not encrypted. The Encrypt EBS Volumes checkbox applies only to persistent disks.
- Compilation worker VMs are not encrypted because they do not have persistent disks.