Key management - Amazon Redshift

Key management

You can configure your environment to protect data with keys:

  • Amazon Redshift automatically integrates with AWS Key Management Service (AWS KMS) for key management. AWS KMS uses envelope encryption. For more information, see Envelope Encryption.

  • When encryption keys are managed in AWS KMS, Amazon Redshift uses a four-tier, key-based architecture for encryption. The architecture consists of randomly generated AES-256 data encryption keys, a database key, a cluster key, and a root key. For more information, see How Amazon Redshift Uses AWS KMS.

  • You can create your own customer managed key in AWS KMS. For more information, see Creating Keys.

  • You can also import your own key material for new AWS KMS keys. For more information, see Importing Key Material in AWS Key Management Service (AWS KMS).

  • Amazon Redshift supports management of encryption keys in external hardware security modules (HSMs). The HSM can be on-premises or can be AWS CloudHSM. When you use an HSM, you must use client and server certificates to configure a trusted connection between Amazon Redshift and your HSM. Amazon Redshift supports only AWS CloudHSM Classic for key management. For more information, see Encryption for Amazon Redshift using hardware security modules. For information about AWS CloudHSM, see What is AWS CloudHSM?

  • You can rotate encryption keys for encrypted clusters.. For more information, see Encryption key rotation in Amazon Redshift.