User guide
(SOX), the Health Insurance Portability and Accountability Act (HIPAA), and other such regulations provide
guidelines for handling specific types of data.
Encryption is an immutable property of the cluster.The only way to go from an encrypted to a nonencrypted
cluster or vice versa is to unload the data and reload it to a new cluster. Encryption also applies to backups.
When restoring from an encrypted snapshot, the new cluster will be encrypted as well.
Note
When you enable encryption in your cluster, it will have an impact on performance, even though
it is hardware-accelerated. On average, we expect you will see approximately a 20 percent
degradation, with peak overheads of 40 percent.You should take this into account when deciding
whether you should enable encryption when you create the cluster.
Hardware Security Modules
You can use a hardware security module (HSM) to generate and manage your Amazon Redshift cluster
key. HSMs are devices that provide direct control of key generation and management.They provide
greater security by separating key management from the application and database layers. Amazon
Redshift supports both AWS CloudHSM and on-premises HSMs for key management.
When you configure your cluster to use an HSM, Amazon Redshift sends a request to the HSM to create
a cluster key.The HSM uses the cluster key to encrypt the database key. The cluster key is stored in the
HSM. The cluster key decrypts the encrypted database key, and then the unencrypted database key is
passed over a secure channel to the cluster, where it is loaded into memory. The database key is then
used to encrypt all of the data encryption keys that encrypt data blocks.
When you opt to use an HSM for management of your cluster key, you need to configure a trusted network
link between Amazon Redshift and your HSM. Doing this requires configuration of client and server
certificates.
Amazon Redshift creates a public client certificate from a randomly generated private and public key pair.
These are encrypted and stored internally.You download and register the public client certificate in your
HSM, and assign it to the applicable HSM partition.
You provide Amazon Redshift with the HSM IP address, HSM partition name, HSM partition password,
and a public HSM server certificate, which is encrypted by using an internal master key. Amazon Redshift
completes the configuration process and verifies that it can connect to the HSM. If it cannot, the cluster
is put into INCOMPATIBLE_HSM state and the cluster is not created. In this case, you must delete the
incomplete cluster and try again.
After initial configuration, if Amazon Redshift fails to connect to the HSM, an event is logged. For more
information about these events, see Amazon Redshift Event Notifications (p. 202)
Configuring HSM Using the Amazon Redshift
Console
Topics
• Creating an HSM Connection (p. 100)
• Creating an HSM Client Certificate (p. 101)
• Displaying the Public Key for an HSM Client Certificate (p. 104)
• Deleting an HSM Connection (p. 104)
• Deleting an HSM Client Certificate (p. 104)
API Version 2012-12-01
99
Amazon Redshift Management Guide
Hardware Security Modules