Configure a Baffle Shield – AWS AMI

Baffle Shield enforces Data Protection Policies, encrypting the data in the databases that have been configured in Baffle Manager, as described in Connect to a Data Store.

This page walks through configuring an AWS AMI instance on which to run Baffle Shield, then configuring Baffle Shield. You have the additional option of adding multiple Baffle Shields to the same endpoint.

IMPORTANT: The user account used to log in to the Baffle Shield host machine must have a home directory on that system.

Step 1: Configure an AWS AMI Instance for Baffle Shield

In this step, you configure an AWS AMI instance to run a Baffle Shield.

To configure an AMI instance for Baffle Shield, do the following:

  1. In AWS, go to EC2 and launch a new AMI instance with a CentOS 7 operating system and appropriately sized for your environment.
  2. Select the same VPC that as your Baffle Manager.
  3. Enter the following bootstrap commands in the Advanced Details section when setting up the instance:
    sudo su
    yum install java-1.8.0-openjdk-devel -y
    yum install mysql -y
    yum install nano -y
    yum install postgresql -y
    yum install unzip -y
    curl "" -o ""


  4. Select the same security groups you used for the Baffle Manager configuration. Ensure the security group for your Baffle Shield allows inbound connections from Baffle Manager (on port 22) and from your own IP address (on port 8444 by default). After you complete the setup process, allow the instance a few minutes to initialize.
  5. Continue with configuring Baffle Shield.

Step 2: Configure Baffle Shield

In this step, you connect Baffle Shield to Baffle Manager and configure Baffle Shield.

NOTE: A Baffle Shield can only be enrolled with one application.

To configure a Baffle Shield, do the following:

  1. Go to the Baffle Manager admin interface, and click the shield icon on the left navigation bar. The Baffle Shields window appears.


  2. Click +BAFFLE SHIELD in the upper right corner of the Baffle Shields window.


  3. Enter a Baffle Shield Name and identifying Description in the appropriate text fields.
  4. Enter the Host Username to access the Baffle Shield EC2 Instance. In our example, we entered centos for the Host Username. 


  5. Enter the IP Address of the Baffle Shield you just launched. NOTE: If your Shield runs in the same VPC as your Baffle Manager instance, it is recommended that you use the Private IP address here.
  6. Specify a temporary directory for Shield installation. By default, the path is /tmp. This directory will store temporary files during the installation process, and is automatically cleaned up afterwards. NOTE: this directory must have execute permissions in order to install Baffle Shield.
  7. Enter a port number on which Baffle Shield can use to listen for application connections. The default port is 8444.
  8. Check the appropriate box based on your intended deployment configuration:
    Use SSL: Check this box if you require the use of SSL for the connection between the application and the data store. The data store must already be configured for SSL. After selecting, also choose whether to have Baffle Manager generate a self-signed certificate for Baffle Shield or upload your own certificate.
    Use SSH Key: Check this box if you would like Baffle Manager to use a SSH key instead of password credentials to authenticate to the Baffle Shield machine for deployment. Also choose to upload a new key or select a previously uploaded key to use. IMPORTANT! NOTE: The SSH key must be in the .pem format.
  9. Optional: Enter a username and password to access the Baffle Shield.
  10. Click Add Baffle Shield to complete the process. The new Shield is added to the list of configured Baffle Shields.

    TIP: If the Baffle Manager is unable to connect to the shield, verify that your Shield’s security group permits inbound access from Baffle Manager.

Optional – Add multiple Baffle Shields to the Same Endpoint

Follow these instructions to add multiple Baffle Shields to the same endpoint.

You assign multiple Baffle Shields to a single endpoint through the Baffle Manager admin console. When multiple Baffle Shields are assigned to the same endpoint, each shield must be listening on a different port number. For example, if the first Baffle Shield uses port 8444 (the default), a second Baffle Shield on the same endpoint would need to use port 8445, and so on.

Next Steps:

Was this article helpful?
0 out of 0 found this helpful



Please sign in to leave a comment.