Amazon Redshift
Cluster Management Guide

Key Management

You can configure your environment to protect data with keys.

  • Amazon Redshift automatically integrates with AWS KMS (AWS KMS) for key management. AWS KMS uses envelope encryption. For more information, see Envelope Encryption.

  • When encryption keys are managed in AWS KMS, Amazon Redshift uses a four-tier, key-based architecture for encryption. The architecture consists of randomly generated AES-256 data encryption keys, a database key, a cluster key, and a master key. For more information, see How Amazon Redshift Uses AWS KMS.

  • You can create your own Customer Master Key (CMK) in KMS. For more information, see Creating Keys.

  • You can also import your own key material for new CMKs. For more information, see Importing Key Material in AWS Key Management Service (AWS KMS).

  • Amazon Redshift supports management of encryption keys in external Hardware Security Modules (HSMs). The HSM can be on-premises or can be AWS CloudHSM. When you use an HSM, you must use client and server certificates to configure a trusted connection between Amazon Redshift and your HSM. For more information, see Encryption for Amazon Redshift Using Hardware Security Modules. For information about AWS CloudHSM, see What is AWS CloudHSM.

  • You can rotate encryption keys for encrypted clusters.. For more information, see Encryption Key Rotation in Amazon Redshift.