Configure the Baffle Manager AMI from AWS Marketplace

This task consists of two steps. First, you launch Baffle Manager in the AWS Marketplace, then you configure Baffle Manager.

Before You Begin

It is important that you verify that your site meets the Baffle Prerequisites and Requirements.

Step 1: Launch Baffle Manager

This step walks you through the process of launching Baffle Manager from AWS Marketplace.

To launch Baffle Manager, do the following:

  1. Search for Baffle in the AWS Marketplace or click the following link to begin setup – Baffle Data Protection Services, once on the page click Subscribe, then Continue with Configuration.
  2. Make the following selections to Configure this Software:
    • Delivery Method – 64-bit (x86) Amazon Machine Image (AMI)
    • Software Version – Baffle Manager Release (latest version is displayed by default)
    • Region – Select the region. 
  3. Click Continue Launch, then under Choose Action select Launch through EC2 from the drop-down list and click Launch.
  4. Select the desired Instance Type from the list and click Next: Configure Instance Details.
  5. On the Configure Instance Details page, accept the default settings with the exception of specifying the following: 
    • Create a new security group on the VPC based on ‘seller settings’. This configuration opens the necessary ports for Baffle Manager. Set the range of IP addresses that will be permitted access.  
    • Ensure you have saved the selected key pair to access the Baffle Manager. 
  6. Click Next: Add Storage, enter the desired root storage Size (GiB) and click Next: Add Tags.
  7. Click Add Tag and enter a Key and Value, then Add another tag with a Key and Value. Name and Owner are two commonly used tags.
  8. Click Next: Configure Security Group. On the Configure Security Group page, accept Assign a new security group, along with the Security group name that provides the recommended ports and connection settings Baffle Manager requires for its data protection services.

    IMPORTANT! You must add your own inbound security group with your IP address here so you will be able to connect to Baffle Manager in a web browser.

  9. Click Review and Launch to review the instance configurations. Verify that the PRIVATE_IP address for Baffle Manager is correct in the .env file (located in the BM-Docker-Deploy directory). 
  10. Click Launch
  11. You are prompted to Select an existing key pair or Create a new key pair. Once done, click the I acknowledge check box followed by Launch Instances.
  12. Click View Instances to go to the EC2 dashboard. Enter one of the specified tags to search for the instance.

Step 2: Configure Baffle Manager

  1. Once the instance is running, connect to it with a web browser via HTTPS. Use the public IP address of the instance, prefaced with https:// for example,

    NOTE: If you are unable to connect to the instance via HTTPS, check your security group inbound rules. Also ensure that your instance has finished initializing.

  2. Since the instance is bootstrapped with a self-signed certificate, you will receive an invalid CA warning. Select the browser option to “proceed”. You will have the opportunity to upload and use your organization’s certificate later in this section. The following window appears.


    This dialog indicates that the Baffle Manager is in a locked state.
  3. To unlock the Baffle Manager, access the system with SSH using “baffle” as the username for the SSH connection, followed by the public IP address (for example, baffle@ You will also need the key pair file that you selected when you launched the instance. How you add the key pair depends on the shell client you are using (such as, SecureCRT).
  4. Once you have connected to the instance, issue the following command to retrieve the unlock code.
  5. You access the initpass file that unlocks Baffle Manager by connecting to the Baffle Manager instance with SSH, then using the following command to retrieve the unlock code.

    sudo more /var/lib/docker/volumes/baffle_manager/_data/initpass

  6. In the Unlock Baffle Manager dialog, paste the unlock code in the password field and click CONTINUE
  7. Configure System Settings. You are prompted for hostname and domain settings. All system users must have this domain name as part of this email going forward.


  8. Configure Email Settings. This allows Baffle Manager to send emails to provide notifications and for password resets. Enter the SMTP server to use, as well as the login credentials for the SMTP server.


  9. Create Admin Account. The screen below prompts you to create the initial Baffle Manager administrator account. This account is used to configure the subsequent components such as the key management store, data store connections, and Baffle Shields.


  10. Configure Credential Keystore. This configuration screen establishes an encrypted credential store for any system access credential or access key that the Baffle Manager or Baffle Shield utilize. The default name is “baffle_credential_store” and cannot be changed.

    Select LOCAL for Keystore type.  For Secret Key, enter any random string which will be used to generate a random key to encrypt the Keystore Config Password.  For Config Password, enter a secure password or passphrase to secure the actual keystore.


  11. Install SSL Certificate. This configuration step allows you to install an SSL certificate to secure access to the Baffle Manager web interface.  Upload the certificate and key file for your organization or respective CA to enable SSL for the Baffle Manager console. 


  12. This should complete the initial setup process and bring you to the login page.


  13. Enter the credentials for the administrator account you created in Step 9 to login and continue the configuration process.

Next Steps

Was this article helpful?
0 out of 0 found this helpful



Please sign in to leave a comment.