forked from pivotal-cf/docs-pcf-install
-
Notifications
You must be signed in to change notification settings - Fork 0
/
cloudform-om-ebs-config.html.md.erb
50 lines (30 loc) · 2.59 KB
/
cloudform-om-ebs-config.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
---
title: Configuring Amazon EBS Encryption
owner: Ops Manager
---
<strong><%= modified_date %></strong>
[Pivotal Cloud Foundry](https://network.pivotal.io/products/pivotal-cf) (PCF) supports [Amazon Elastic Block Store (EBS) Encryption](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumes.html) for PCF deployments on AWS. Amazon EBS Encryption allows operators to use full disk encryption for all persistent disks on BOSH-deployed VMs. You can use this feature to meet data-at-rest encryption requirements or as a security best practice.
There is no performance penalty for using encrypted EBS volumes. Pivotal advises all users of PCF on AWS to check this box.
## How to Enable EBS Encryption ###
1. Click the **Ops Manager Director** tile.
<%= image_tag("cloudform/om-tile.png") %>
1. Select **AWS Config** to open the **AWS Management Console Config** page.
<%= image_tag("cloudform/aws-config.png") %>
1. Select **Encrypt EBS Volumes**.
<p class="note"><strong>Note</strong>: <strong>Encrypt EBS Volumes</strong> is a global setting. When selected, <strong>Encrypt EBS Volumes</strong> enables encryption on all VMs deployed by BOSH for all product tiles.</p>
1. Click **Save**, and then return to the **Installation Dashboard**.
1. In Ops Manager, click **Apply Changes** and review any reported errors. The following error message lists jobs that cannot be encrypted due to unsupported instance types.
<%= image_tag("cloudform/encrypt-ebs-errors.png") %>
If you find a job that should be encrypted in the error list, modify the instance type for that job in the **Resource Config** page of the Pivotal Application Service (PAS). Select an instance type that supports encryption. Pivotal recommends using <code>t2.large</code>.
1. After you make your changes in PAS, return to Ops Manager and click **Apply Changes**.
<p class="note warning"><strong>WARNING</strong>: After you enable or disable <strong>Encrypt EBS Volumes</strong> and click <strong>Apply Changes</strong>, Ops Manager recreates all existing persistent VM disks.</p>
## Limitations ##
Using EBS Encryption is subject to the following limitations:
* Ops Manager is not encrypted.
* PCF does not support Amazon EBS Encryption for the following AWS instance types:
* <code>t2.micro</code>
* <code>t2.small</code>
* <code>t2.medium</code>
<p class="note"><strong>Note</strong>: PCF will remove this limitation in a future release.</p>
* Ephemeral disks are not encrypted. The **Encrypt EBS Volumes** checkbox applies only to persistent disks.
* Compilation worker VMs are not encrypted because they do not have persistent disks.