If a cluster is enabled with TDE, the user needs to update the policy for each cluster. This article outlines all the steps required to enable TDE in the EDB Cloud Console.
Table of Contents
GCP Key Management - BYOA and EHCS
AWS KMS keys - BYOA and EHCS
AWS Console
1. Go to your AWS account and switch to the related region.
2. Create a key in AWS KMS.
EDB Cloud Console
1. Go to the project in EDB Cloud Console: Settings → Security → Add a key.
2. Select AWS and fill in the key ARN you created in step 1, and Enter a friendly name for your key (Optional).
3. Create a cluster and enable TDE in the Additional Settings tab. Note the following restrictions documented here .
4. After a few minutes, the cluster status will change to Waiting for TDE key to get reachable.
5. Go to the cluster page, where you will see Action Required.
AWS Console
1. Go to your AWS KMS key page, edit the KMS policy, and grant the key permissions as per the provided instructions.
{
"Sid": "Allow use of the key for the cluster",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::988233786771:role/ba-xxxx-us-east-1-p-xxxx"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt"
],
"Resource": "*"
}
2. Return to the cluster page; the cluster creation should continue accordingly.
GCP Key Management - BYOA and EHCS
GCP Console
1. Go to your GCP account.
2. Create a key(Key Ring) in GCP Key management.
EDB Cloud Console
1. Go to the project in EDB Cloud Console: Settings → Security → Add a key.
2. Select Google Cloud.
3. By default, new keys will be global, if you require a key for a specific region, select Region Specific.
4. Fill in Google Project ID, Key Name, Key Ring Name, and Enter a friendly name for your key (Optional).
5. Create a cluster and enable TDE in the Additional Settings tab. Note the following restrictions documented here .
6. After a few minutes, the cluster status will change to Waiting for TDE key to get reachable.
5. Go to the cluster page, where you will see Action Required.
GCP Console
1. Go to your GCP KMS key -> PERMISSIONS -> GRANT ACCESS, and grant the key permissions as per the provided instructions.or
2. Return to the cluster page; the cluster creation should continue accordingly.
Azure Key Vault - BYOA
Create Key Vault and Key in Azure Portal
1. Go to your Azure Portal.
2. Create a key vault in the region - select Vault access policy for Permission model.
3. Create a key in the KeyVault.
4. For network settings, please make sure EDB virtual network is added.
- Virtual Network:
vnet-<region> - Resource Group:
<projectid>-rg-<region>-management-xxxxx - Subnet:
AksSubnet
Add a key in EDB Cloud Console
1. Go to the project in EDB Cloud Console: Settings → Security → Add a key.
2. Select Azure Cloud.
3. Select the region.
4. Fill in Key Vault name, Key Name, Key Version and Enter a friendly name for your key (Optional).
To get the Key Version, it's on Azure Portal -> Key vault -> Keys -> Click Name to open the Key page:
Create a cluster with the key
1. Create a cluster and enable TDE in the Additional Settings tab. Note the following restrictions documented here .
2. After a few minutes, the cluster status will change to Waiting for TDE key to get reachable.
3. Go to the cluster page, where you will see Action Required.
Add access policy in Azure Portal
1. Go to your Azure Key Vault -> Access policies -> Create, and grant Encrypt/Decrypt to the workload identity in the provided instructions.
2. Return to the cluster page; the cluster creation should continue accordingly.