Modify the KMS Config File for KMS

You must perform this procedure if you want record level encryption. Otherwise, this procedure is unnecessary:

Baffle Manager automatically creates the KmsConfig.properties file when you specify the values below during enrollment; however, Baffle Manager doesn’t currently support record level deployments, though it’s on Baffle’s roadmap.

To modify the KmsConfig.properties file, do the following:

1. In the Baffle Shield directory, copy and rename the KmsConfig.awskms.properties file as follows:

cp KmsConfig.awskms.properties KmsConfig.properties

2. Edit the KmsConfig.properties file that you just created, modifying the values as follows:

kmsType=awskms

aws_secret_access_key=AWS_ACCESS_KEY

aws_region=us-west-2

aws_s3_bucket=test-bucket

aws_access_key_id=AWS_KEY_ID

app_namespace=testkeys-

aws_kms_alias=alias/aliasname

app_namespace

Every Baffle Shield associated with an application and a database is identified by this value. This value is also used as a prefix for the DEKs stored as a file in a S3 bucket.

aws_region

AWS region where the CMK should be created.

aws_s3_bucket

The bucket name that will hold the encrypted DEKs. This can be an existing bucket that you already have. If a bucket is not present then a new bucket is created by Baffle Shield.

aws_access_key_id

aws_secret_access_key

When you create access keys, you create the AWS access key ID and AWS secret access key as a set.

During access key creation, AWS gives you one opportunity to view and download the secret access key part of the access key. If you don't download it or if you lose it, you can delete the access key and then create a new one.

You can create IAM user access keys with the IAM console, AWS CLI, or AWS API. For more information, see the Amazon documentation for Managing Access Keys for IAM Users in the IAM User Guide.

aws_kms_alias

AWS KMS Alias identifier points to the active CMK being used. You specified this alias when you created a CMK. Value should be of the format alias/yourAlias. Do not specify spaces in your alias name. Baffle recommended using baffleMasterKey.

Although this parameter is optional in AWS Management Console, Baffle Advanced Data Protection requires an alias for integration purposes.

 

3. Restart Baffle Shield.

 

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.