Skip to main content

Securing MarkLogic Server

Encryption on EBS Volumes

Elastic Block Storage Volume is a durable, block-level storage device that you can attach to a single EC2 instance. Encryption on EBS offers a simple encryption solution for your EBS volumes without the need to build, maintain, and secure your own key management infrastructure. AWS EBS volumes support encryption with a custom key.

Starting in MarkLogic Server 9.0-8, this capability is supported by MarkLogic Server for AWS. Users can turn on encryption on EBS volumes on their cluster and also optionally specify a custom key for volumes. This can be done using MarkLogic Server CloudFormation templates and Managed Cluster Feature. See The Managed Cluster Feature and Deploying MarkLogic on EC2 Using CloudFormation in the MarkLogic Server on Amazon Web Services (AWS) Guide.

If a cluster is created by the MarkLogic Server CloudFormation template, a same encryption key will be used to encrypt all EBS volumes in the cluster. If encryption option is specified, all volumes attached to an instance will apply the same setting. EBS Encryption is only supported by some EC2 instance types, mostly the new generation. The key that is used to encrypt the volume must be in the same region.

Note

KMS keys are never transmitted outside of the AWS regions in which they were created.