forked from pivotal-cf/docs-pcf-install
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcloudform-om-ebs-config.html.md.erb
52 lines (31 loc) · 2.76 KB
/
cloudform-om-ebs-config.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
---
title: Configuring Amazon EBS Encryption
owner: Ops Manager
---
<strong><%= modified_date %></strong>
[Pivotal Cloud Foundry®](https://network.pivotal.io/products/pivotal-cf) (PCF) supports [Amazon Elastic Block Store (EBS) Encryption](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumes.html) for PCF deployments on AWS. Amazon EBS Encryption allows operators to use full disk encryption for all persistent disks on BOSH-deployed VMs. You can use this feature to meet data-at-rest encryption requirements or as a security best practice.
There is no performance penalty for using encrypted EBS volumes. Pivotal advises all users of PCF on AWS to check this box.
## How to Enable EBS Encryption ###
1. Click the **Ops Manager Director** tile.
<%= image_tag("cloudform/om-tile.png") %>
1. Select **AWS Config** to open the **AWS Management Console Config** page.
<%= image_tag("cloudform/aws-config.png") %>
1. Select **Encrypt EBS Volumes**.
<p class="note"><strong>Note</strong>: <strong>Encrypt EBS Volumes</strong> is a global setting. When selected, <strong>Encrypt EBS Volumes</strong> enables encryption on all VMs deployed by BOSH for all product tiles.</p>
1. Click **Save**, and then return to the **Installation Dashboard**.
1. In Op Manager, click **Apply Changes** and review any reported errors. The following error message lists jobs that cannot be encrypted due to unsupported instance types.
<%= image_tag("cloudform/encrypt-ebs-errors.png") %>
If you find a job that should be encrypted in the error list, modify the instance type for that job in the **Resource Config** page of the Elastic Runtime. Select an instance type that supports encryption. Pivotal recommends using <code>t2.large</code>.
1. After you make your changes in Elastic Runtime, return to Ops Manager and click **Apply Changes**.
The next BOSH deploy encrypts all persistent disks on all BOSH-deployed VMs. If you have already deployed VMs with unencrypted EBS volumes, BOSH copies over all the data on those unencrypted EBS volumes to new encrypted volumes and discards the old volumes.
If you deselect **Encrypt EBS Volumes** later and then redeploy, BOSH overwrites all EBS volumes with unencrypted volumes.
## Limitations ##
Using EBS Encryption is subject to the following limitations:
* Ops Manager and Director VMs are not encrypted.
* PCF does not support Amazon EBS Encryption for the following AWS instance types:
* <code>t2.micro</code>
* <code>t2.small</code>
* <code>t2.medium</code>
<p class="note"><strong>Note</strong>: PCF will remove this limitation in a future release.</p>
* Ephemeral disks are not encrypted. The **Encrypt EBS Volumes** checkbox applies only to persistent disks.
* Compilation worker VMs are not encrypted because they do not have persistent disks.