Ops Manager supports Amazon Elastic Block Store (EBS) encryption for VMware Tanzu Operations Manager (Ops Manager) deployments on AWS. You can use this feature to meet data-at-rest encryption requirements or as a security best practice. This feature uses AWS Key Management Service (KMS).
Note: Enabling EBS encryption only encrypts Linux VMs. The Windows VMs deployed with VMware Tanzu Application Service for VMs (TAS for VMs) for Windows are not encrypted.
By following the procedures in this topic, you can use full disk encryption for all persistent disks on the following VMs:
There is no performance penalty for using encrypted EBS volumes. VMware recommends that all users of Ops Manager on AWS enable encryption.
Note: Before you enable EBS encryption with KMS, you may need to update your AWS policy. For more information, see Add Additional AWS Policies.
To enable EBS encryption:
Navigate to the Ops Manager Installation Dashboard.
Click the BOSH Director tile.
Select AWS Config to open the AWS Management Console Config pane.
Select the Encrypt Linux EBS Volumes check box.
Note: Encrypt Linux EBS Volumes is a global setting. When enabled, the Encrypt Linux EBS Volumes checkbox enables encryption on all Linux VMs deployed by BOSH for all product tiles. Windows VMs are not encrypted.
(Optional) Enter a Custom Encryption Key. You can create an encryption key in the IAM section of your AWS Management Console. Look for the Amazon Resource Name (ARN) and copy that value. The ARN should look similar to the following:
key/12345678-9012-3456-7890-123456789012 ``` If you leave the field empty, the encryption key defaults to the Amazon account key. For more information about creating your own encryption key, see Creating Keys and Viewing Keys in the AWS documentation.
<p class='note'><strong>Note:</strong> AWS rotates your KMS automatically each year. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">Rotating Customer Master Keys</a> in the AWS Documentation.</p>
(Optional) Ignore this series of steps if you are making your first deployment. Otherwise, you need to reset your VMs so that they can encrypt Linux EBS volumes. To encrypt all current BOSH and BOSH-deployed VMs:
Note: If you need help with the following advanced steps, contact Support.
/var/tempest/workspaces/default/deploymentsdirectory in the SSHed Ops Manager VM.
bosh-state.jsonfile elsewhere in case you want to restore the file.
stemcellsvalues. For example, enter
bosh deploymentscommands into the command line. Record the stemcell names that BOSH-deployed VMs are using. Encrypt BOSH-deployed VMs
var/tempest/stemcellsin the SSHed Ops Manager VM.
bosh upload-stemcell STEMCELL_NAME --fixcommand into the command line for each stemcell to enforce the BOSH Director, encrypt the stemcells, and re-upload them.
Return to the Ops Manager Installation Dashboard.
Click Review Pending Changes.
Click Apply Changes and review any reported errors. The following example error message lists jobs that cannot be encrypted due to unsupported instance types.
If you find a job that should be encrypted in the error list, modify the instance type for that job in the Resource Config page of the TAS for VMs tile. Select an instance type that supports encryption. VMware recommends using
After you make your changes in TAS for VMs, return to the Ops Manager Installation Dashboard.
Click Review Pending Changes.
Click Apply Changes.
Caution: After you select or deselect the Encrypt Linux EBS Volumes checkbox, click Review Pending Changes, and click Apply Changes, Ops Manager recreates all existing persistent VM disks.
To encrypt the Ops Manager VM, you must manually re-launch Ops Manager with a new Amazon Machine Image (AMI). For more information, see Step 1: Launch an Ops Manager AMI in Deploying Ops Manager on AWS.