Modify the KMS Config File for KMS

You must perform this procedure if you want record level encryption. Otherwise, this procedure is unnecessary:

Baffle Manager automatically creates the file when you specify the values below during enrollment; however, Baffle Manager doesn’t currently support record level deployments, though it’s on Baffle’s roadmap.

To modify the file, do the following:

1. In the Baffle Shield directory, copy and rename the file as follows:


2. Edit the file that you just created, modifying the values as follows:









Every Baffle Shield associated with an application and a database is identified by this value. This value is also used as a prefix for the DEKs stored as a file in a S3 bucket.


AWS region where the CMK should be created.


The bucket name that will hold the encrypted DEKs. This can be an existing bucket that you already have. If a bucket is not present then a new bucket is created by Baffle Shield.



When you create access keys, you create the AWS access key ID and AWS secret access key as a set.

During access key creation, AWS gives you one opportunity to view and download the secret access key part of the access key. If you don't download it or if you lose it, you can delete the access key and then create a new one.

You can create IAM user access keys with the IAM console, AWS CLI, or AWS API. For more information, see the Amazon documentation for Managing Access Keys for IAM Users in the IAM User Guide.


AWS KMS Alias identifier points to the active CMK being used. You specified this alias when you created a CMK. Value should be of the format alias/yourAlias. Do not specify spaces in your alias name. Baffle recommended using baffleMasterKey.

Although this parameter is optional in AWS Management Console, Baffle Advanced Data Protection requires an alias for integration purposes.


3. Restart Baffle Shield.


Was this article helpful?
0 out of 0 found this helpful



Please sign in to leave a comment.