AWS Key Management Service (KMS)
Article
Key Management Service (KMS) is a managed service that makes it easy for you to create and control encryption keys used to encrypt your data. It is available across a number of the AWS offerings, including Elastic Block Store (EBS) and Relational Database Service (RDS) - and these are the services relevant when working with Dbvisit Replicate.
You can find comprehensive detail in the AWS documentation in the following:
New EBS Encryption for Additional Data Protection
Amazon EBS Encryption
This is key:
When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted:
Data at rest inside the volumeAll data moving between the volume and the instanceAll snapshots created from the volume
The encryption occurs on the servers that host EC2 instances, providing encryption of data-in-transit from EC2 instances to EBS storage.
When creating an EC2 instance with an EBS volume attached it can be encrypted with KMS, and when selecting encryption as an option for RDS, AWS will enable KMS encryption on the EBS volume which is created for this database. In either case:
You can access encrypted volumes the same way that you access existing volumes; encryption and decryption are handled transparently and they require no additional action from you, your EC2 instance,
or your application.
We have tested out both EC2 and RDS configurations with Dbvisit Replicate version 2.8 on AWS, utlizing KMS, and it works without issue. As stated this encryption is transparent to the application, and does not affect the replication itself.
Some additional notes to be aware of when working with KMS:
KMS keys are region-specific and cannot be shared across regions
Amazon EBS encryption is not available on all instance types, so please consult the documentation to check whether a particular instance type is
There is no direct way to encrypt an existing unencrypted volume, or to remove encryption from an encrypted volume. However, you can migrate data between encrypted and unencrypted volumes, and you can apply encryption while copying the encrypted snapshot of an unencrypted volume
You can create an encrypted boot volume by using the "Copy Image" function for an AMI, which enables you to specify a Master Key for the encryption, if selected. For more see here.