Configuring Amazon EBS Encryption

Page last updated:

Pivotal Cloud Foundry (PCF) supports Amazon Elastic Block Store (EBS) encryption for PCF deployments on AWS. You can use this feature to meet data-at-rest encryption requirements or as a security best practice. This feature uses AWS Key Management Service (KMS).

Note: Enabling EBS encryption only encrypts Linux VMs. The Windows VMs deployed with Pivotal Application Service (PAS) for Windows are not encrypted.

By following the procedures in this topic, you can use full disk encryption for all persistent disks on the following VMs:

  • BOSH and all present and future VMs
  • The Ops Manager VM

There is no performance penalty for using encrypted EBS volumes. Pivotal advises all users of PCF on AWS to enable encryption.

Note: Before you enable EBS encryption with KMS, you may need to update your AWS policy. For more information, see Add Additional AWS Policies.

Enable Encryption for BOSH

To enable EBS encryption, do the following:

  1. Click the BOSH Director tile.

    Director tile aws

  2. Select AWS Config to open the AWS Management Console Config pane.

    Aws config

  3. Select Encrypt Linux EBS Volumes.

    Note: Encrypt Linux EBS Volumes is a global setting. When selected, Encrypt Linux EBS Volumes enables encryption on all Linux VMs deployed by BOSH for all product tiles. Windows VMs are not encrypted.

  4. (Optional) Enter a Custom Encryption Key. You can create an encryption key in the IAM section of your AWS Management Console. Look for the Amazon Resource Name (ARN) and copy that value. The ARN should look similar to the following:

    arn:aws:kms:us-east-1:123456789012:
    key/12345678-9012-3456-7890-123456789012
    

    If you leave the field empty, the encryption key will default to the Amazon account key. For more information about creating your own encryption key, see Creating Keys and Viewing Keys in the AWS documentation.

    Note: AWS rotates your KMS automatically each year. For more information, see Rotating Customer Master Keys in the AWS Documentation.

  5. Click Save.

  6. (Optional) Ignore this series of steps if you are making your first deployment. Otherwise, you need to reset your VMs so that they can encrypt Linux EBS volumes. Complete the following steps to encrypt all current BOSH and BOSH-deployed VMs:

    Note: If you need help with the following advanced steps, contact Pivotal Support.

    1. Encrypt the BOSH Director VM.
      1. SSH into the Ops Manager VM with the BOSH CLI. For more information about SSHing with BOSH, see BOSH SSH in the Advanced Troubleshooting with the BOSH CLI topic.
      2. Go to the /var/tempest/workspaces/default/deployments directory in the SSHed Ops Manager VM.
      3. Back up your bosh-state.json file elsewhere in case you want to restore the file.
      4. Edit bosh-state.json to remove current_stemcell_id and stemcells values. For example, enter "current_stemcell_id": "" and "stemcells": [].
    2. Encrypt BOSH-created VMs.

      1. Enter the bosh stemcells and bosh deployments commands into the command line. Record the stemcell names that BOSH-deployed VMs are using. Encrypt BOSH-deployed VMs
      2. Go to the folder var/tempest/stemcells in the SSHed Ops Manager VM. <<<<<<< HEAD
      3. Enter the bosh upload stemcell STEMCELL_NAME --fix command into the commmand line for each stemcell to enforce the BOSH Director, encrypt the stemcells, and re-upload them.

======= 1. Enter the bosh upload stemcell STEMCELL_NAME --fix command into the command line for each stemcell to enforce the BOSH Director, encrypt the stemcells, and re-upload them.

cd384aa5… Minor formatting fixes 1. Reset Persistent Disks and Recreate VMs. 1. Select the Director Config pane. 1. Enable Recreate All VMs. 1. Enable Recreate All Persistent Disks. 1. Click Save.

  1. Return to the Installation Dashboard.

  2. In Ops Manager, click Review Pending Changes, then Apply Changes and review any reported errors. The following error message lists jobs that cannot be encrypted due to unsupported instance types.

    Encrypt ebs errors

    If you find a job that should be encrypted in the error list, modify the instance type for that job in the Resource Config page of the Pivotal Application Service (PAS). Select an instance type that supports encryption. Pivotal recommends using t2.large.

  3. After you make your changes in PAS, return to Ops Manager and click Review Pending Changes, then Apply Changes.

WARNING: After you enable or disable Encrypt Linux EBS Volumes and click Review Pending Changes, then Apply Changes, Ops Manager recreates all existing persistent VM disks.

Enable Encryption for Ops Manager

To encrypt the Ops Manager VM, you must manually re-launch Ops Manager with a new Amazon Machine Image (AMI). See Step 12: Launch an Ops Manager AMI in Manually Installing PCF on AWS.

Create a pull request or raise an issue on the source for this page in GitHub