Manualshelf

User guide

ManualsBrandsAmazon ManualsComputer equipmentRedshift
101102103104105106107108109110
Amazon Redshift Database
Encryption
Topics
Overview (p. 98)
Hardware Security Modules (p. 99)
Rotating Encryption Keys (p. 105)
Overview
Amazon Redshift provides database encryption for its clusters to help protect data at rest. When you
enable encryption for your cluster, Amazon Redshift encrypts all data by using hardware-accelerated
AES-256. This encryption includes data blocks and system metadata, and it applies to both the active
cluster and any cluster backups.
Amazon Redshift uses a four-tier, key-based architecture for encryption. These keys consist of data
encryption keys, a database key, a cluster key, and a master key.
Data encryption keys encrypt data blocks in the cluster. Each data block is assigned a randomly-generated
AES-256 key.These keys are encrypted by using the database key for the cluster.
The database key encrypts data encryption keys in the cluster.The database key is a randomly-generated
AES-256 key. It is stored on disk in a separate network from the Amazon Redshift cluster and encrypted
by the cluster key. Amazon Redshift passes the database key across a secure channel and keeps it in
memory in the cluster.
The cluster key encrypts the database key for the Amazon Redshift cluster.You can use either AWS Key
Management Service (AWS KMS) or a hardware security module (HSM) to manage the cluster key.
The master key encrypts the cluster key if it is managed by AWS KMS.The master key encrypts the
cluster-key-encrypted database key if the cluster key is stored in an HSM. For more information about
AWS KMS, go to AWS Key Management Service Developer Guide. For more information about HSM,
see Hardware Security Modules (p. 99).
Though encryption is optional, we recommend using it to help protect sensitive data at rest, and it might
be required depending on the business, privacy, or security rules that apply to the data that you store.
For example, the Payment Card Industry Data Security Standard (PCI DSS), the Sarbanes-Oxley Act
API Version 2012-12-01
98
Amazon Redshift Management Guide
Overview