2 Answers
- Newest
- Most votes
- Most comments
-1
Hello,
You will not be able to use KMS for TDE configuration since TDE is native engine feature and the keys have to be generated from the database itself. But you will be able to store the generated key in AWS CloudHSM. For more information, please check below documents.
- Oracle database transparent data encryption (TDE) with AWS CloudHSM - https://docs.aws.amazon.com/cloudhsm/latest/userguide/oracle-tde.html
- AWS CloudHSM Use Cases (Part One of the AWS CloudHSM Series) - https://aws.amazon.com/blogs/security/aws-cloudhsm-use-cases-part-one-of-the-aws-cloudhsm-series/
answered 4 months ago
-1
Not sure if running DB instance on self-hosted EC2 is a requirement but RDS offers KMS integration: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.Keys.html
answered 4 months ago
Relevant content
- asked a year ago
- Accepted Answerasked 4 months ago
- asked 8 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
check out this blog - https://aws.amazon.com/blogs/security/architecting-for-database-encryption-on-aws/
@rePost_koushald - My response is specific to database TDE (Native engine feature). We can use KMS for encryption in RDS (EBS level) but not in database TDE configuration. In the blog link you have shared above, it is clearly mentioned that you can use KMS to encrypt the RDS (Means the EBS attached in the underlying host) but not with TDE feature which comes as native engine feature.
For the databases hosted on EC2 also, you can use KMS to encrypt the EBS only but you cannot use KMS to configure database TDE (Native engine feature).