❗️ CMKs are completely managed outside of Aptible. As a result, if there is an issue accessing a CMK, Aptible will be unable to decrypt the data. If a CMK is deleted, Aptible will be unable to recover the data.
Creating a New CMK
CMKs used by Aptible must be symmetric and must not use imported key material. The CMK must be created in the same region as the Database that will be using the key. Aptible can support all other CMK options. After creating a CMK, the key must be shared with Aptible’s AWS account. When creating the CMK in the AWS console, you can specify that you would like to share the CMK with the AWS account ID916150859591
. Alternatively, you can include the following statements in the policy for the key:
Creating a new Database encrypted with a CMK
New databases encrypted with a CMK can be created via the Aptible CLI using theaptible db:create
command. The CMK should be passed in using the --key-arn
flag, for example:
Key Rotation
Custom encryption keys can be rotated through AWS. However, this method does not re-encrypt the existing data as described in the CMK key rotation documentation. In order to do this, the key must be manually rotated by updating the CMK in Aptible.Updating CMKs
CMKs can be added or rotated by creating a backup and restoring from the backup via the Aptible CLI commandaptible backup:restore