Configure a Baffle Shield – AWS AMI

Baffle Shield enforces Data Protection Policies, encrypting the data in the databases that have been configured in Baffle Manager, as described in Connect to a Data Store.

This page walks through configuring an AWS AMI instance on which to run Baffle Shield, then configuring Baffle Shield. You have the additional option of adding multiple Baffle Shields to the same endpoint.

IMPORTANT: The user account used to log in to the Baffle Shield host machine must have a home directory on that system.

Step 1: Configure an AWS AMI Instance for Baffle Shield

In this step, you configure an AWS AMI instance to run a Baffle Shield.

To configure an AMI instance for Baffle Shield, do the following:

  1. In AWS, go to EC2 and launch a new AMI instance with a CentOS 7 operating system and appropriately sized for your environment.
  2. Enter the following bootstrap commands in the Advanced Details section when setting up the instance:
    sudo su
    yum install java-1.8.0-openjdk-devel -y
    yum install mysql -y
    yum install nano -y
    yum install postgresql -y
    yum install unzip -y
    curl "" -o ""


  3. Select the same security groups you used for the Baffle Manager configuration. Ensure the security group for your Baffle Shield allows inbound connections from Baffle Manager (on port 22) and from your own IP address (on port 8444 by default). After you complete the setup process, allow the instance a few minutes to initialize.
  4. Continue with configuring Baffle Shield.

Step 2: Configure Baffle Shield

In this step, you connect Baffle Shield to Baffle Manager and configure Baffle Shield.

To configure a Baffle Shield, do the following:

  1. Go to the Baffle Manager admin interface, and click the shield icon on the left navigation bar. The Baffle Shields window appears.


  2. Click +BAFFLE SHIELD in the upper right corner of the Baffle Shields window.


  3. Enter a Baffle Shield Name and identifying Description in the appropriate text fields.
  4. Select Automated Deployment for Deployment Model and enter the Host Username to access the Baffle Shield EC2 Instance. In our example, we entered centos for the Host Username. NOTE: The user name you enter here must have a home directory on the Baffle Shield host system you are logging into.


  5. Enter the IP Address of the Baffle Shield you just launched. NOTE: If your Shield runs in the same VPC as your Baffle Manager instance, it is recommended that you use the Private IP address here.
  6. Enter a port number that the Baffle Shield will use to listen for application connections. The default port is 8444.
  7. Do one of the following:
    – Select Use SSL if the data store connection uses SSL.
    – Select Use SSH Key and upload the key you selected when setting up the Shield instance. IMPORTANT! NOTE: An SSH pem key must be used to connect to Baffle Shield.
  8. Optional: Enter a username and password to access the Baffle Shield.
  9. Click Add Baffle Shield to complete the process. The new Shield is added to the list of configured Baffle Shields.

    TIP: If the Baffle Manager is unable to connect to the shield, verify that your Shield’s security group permits inbound access from Baffle Manager.

Optional – Add multiple Baffle Shields to the Same Endpoint

Follow these instructions to add multiple Baffle Shields to the same endpoint.

You assign multiple Baffle Shields to a single endpoint through the Baffle Manager admin console. When multiple Baffle Shields are assigned to the same endpoint, each shield must be listening on a different port number. For example, if the first Baffle Shield uses port 8444 (the default), a second Baffle Shield on the same endpoint would need to use port 8445, and so on.

Next Steps:

Continue with the tasks presented in Define a Data Protection Policy and Encrypt Data.

Was this article helpful?
0 out of 0 found this helpful



Please sign in to leave a comment.