Menu
Amazon Redshift
Management Guide (API Version 2012-12-01)

Configuring Database Encryption Using the Console

You can use the Amazon Redshift console to configure Amazon Redshift to use an HSM and to rotate encryption keys. For information about how to create clusters using AWS KMS encryption keys or your HSM configuration, see Creating a Cluster and Manage Clusters Using the Amazon Redshift CLI and API.

Configuring Amazon Redshift to Use an HSM Using the Amazon Redshift console

You can use the following procedures to specify HSM connection and configuration information for Amazon Redshift by using the Amazon Redshift console.

To create an HSM Connection

  1. Sign in to the AWS Management Console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.

  2. In the left navigation pane, click Security, and then click the HSM Connections tab.

  3. Click Create HSM Connection.

  4. On the Create HSM Connection page, type the following information:

    1. In the HSM Connection Name box, type a name to identify this connection.

    2. In the Description box, type a description about the connection.

    3. In the HSM IP Address box, type the IP address for your HSM.

    4. In the HSM Partition Name box, type the name of the partition that Amazon Redshift should connect to.

    5. In the HSM Partition Password box, type the password that is required to connect to the HSM partition.

    6. Copy the public server certificate from your HSM and paste it in the Paste the HSM's public server certificate here box.

    7. Click Create.

  5. After the connection is created, you can create an HSM client certificate. If you want to create an HSM client certificate immediately after creating the connection, click Yes and complete the steps in the next procedure. Otherwise, click Not now to return to the list of HSM connections and complete the remainder of the process at another time.

To create an HSM client certificate

  1. Sign in to the AWS Management Console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.

  2. In the left navigation pane, click Security, and then click the HSM Certificates tab.

  3. Click Create HSM Client Certificate.

  4. On the Create HSM Client Certificate page, type a name in the HSM Client Certificate Identifier box to identify this client certificate.

  5. Click Next.

  6. After the certificate is created, a confirmation page appears with information to register the key on your HSM. If you do not have permission to configure the HSM, coordinate the following steps with an HSM administrator.

    1. On your computer, open a new text file.

    2. In the Amazon Redshift console, on the Create HSM Client Certificate confirmation page, copy the public key.

    3. Paste the public key into the open file and save it with the file name displayed in step 1 from the confirmation page. Make sure that you save the file with the .pem file extension, for example: 123456789mykey.pem.

    4. Upload the .pem file to your HSM.

    5. On the HSM, open a command-prompt window and run the commands listed in step 4 on the confirmation page to register the key. The command uses the following format, with ClientName, KeyFilename, and PartitionName being values you need to replace with your own:

      client register -client ClientName -hostname KeyFilename

      client assignPartition -client ClientName -partition PartitionName

      For example:

      client register -client MyClient -hostname 123456789mykey

      client assignPartition -client MyClient -partition MyPartition

    6. After you register the key on the HSM, click Next.

  7. After the HSM client certificate is created and registered, click one of the following buttons:

    1. Launch a Cluster with HSM. This option starts the process of launching a new cluster. During the process, you can select an HSM to store encryption keys. For more information about the launch cluster process, see Managing Clusters Using the Console.

      Create an HSM Connection. This option starts the Create HSM Connection process.

      View Certificates. This option returns you to HSM in the navigation pane and displays a list of client certificates on the Certificates tab.

      Previous. This option returns you to the Create HSM Client Certificates confirmation page.

      Close. This option returns you to HSM in the navigation pane and displays a list of HSM connections on the Connections tab.

To display the public key for an HSM client certificate

  1. Sign in to the AWS Management Console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.

  2. In the navigation pane, click Security, and then click the HSM Certificates tab.

  3. Click the HSM client certificate to display the public key. This key is the same one that you added to the HSM in the procedure preceding procedure, To create an HSM client certificate

To delete an HSM connection

  1. Sign in to the AWS Management Console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.

  2. In the left navigation pane, click Security, and then click the HSM Connections tab.

  3. Click the HSM connection that you want to delete.

  4. In the Delete HSM Connection dialog box, click Delete to delete the connection from Amazon Redshift, or click Cancel to return to the HSM Connections tab without deleting the connection.

To delete an HSM client certificate

  1. Sign in to the AWS Management Console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.

  2. In the navigation pane, click Security and select the HSM Certificates tab.

  3. In the list, click the HSM client certificate that you want to delete.

  4. In the Delete HSM Client Certificate dialog box, click Delete to delete the certificate from Amazon Redshift, or click Cancel to return to the Certificates tab without deleting the certificate.

Rotating Encryption Keys Using the Amazon Redshift console

You can use the following procedure to rotate encryption keys by using the Amazon Redshift console.

To rotate an encryption key

  1. Sign in to the AWS Management Console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.

  2. In the navigation pane, click Clusters.

  3. In the list, click the cluster for which you want to rotate keys.

  4. Click Database, and then click Rotate Encryption Keys.

  5. Click Yes, Rotate Keys if you want to rotate the keys or Cancel if you do not.

    Note

    Your cluster will be momentarily unavailable until the key rotation process completes.