github.com/muhammadn/cortex@v1.9.1-0.20220510110439-46bb7000d03d/docs/guides/encryption-at-rest.md

github.com/muhammadn/cortex@v1.9.1-0.20220510110439-46bb7000d03d/docs/guides/encryption-at-rest.md (about)

     1  ---
     2  title: "Encryption at Rest"
     3  linkTitle: "Encryption at Rest"
     4  weight: 10
     5  slug: encryption-at-rest
     6  ---
     7  
     8  Cortex supports data encryption at rest for some storage backends.
     9  
    10  ## S3
    11  
    12  The Cortex S3 client supports the following server-side encryption (SSE) modes:
    13  
    14  - [SSE-S3](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html)
    15  - [SSE-KMS](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html)
    16  
    17  ### Blocks storage
    18  
    19  The [blocks storage](../blocks-storage/_index.md) S3 server-side encryption can be configured as follows.
    20  
    21  ### `s3_sse_config`
    22  
    23  The `s3_sse_config` configures the S3 server-side encryption.
    24  
    25  ```yaml
    26  sse:
    27    # Enable AWS Server Side Encryption. Supported values: SSE-KMS, SSE-S3.
    28    # CLI flag: -s3.sse.type
    29    [type: <string> | default = ""]
    30  
    31    # KMS Key ID used to encrypt objects in S3
    32    # CLI flag: -s3.sse.kms-key-id
    33    [kms_key_id: <string> | default = ""]
    34  
    35    # KMS Encryption Context used for object encryption. It expects JSON formatted
    36    # string.
    37    # CLI flag: -s3.sse.kms-encryption-context
    38    [kms_encryption_context: <string> | default = ""]
    39  ```
    40  
    41  ### Chunks storage (deprecated)
    42  
    43  The [chunks storage](../chunks-storage/_index.md) S3 server-side encryption can be configured similarly to the blocks storage, but **per-tenant overrides are not supported**.
    44  
    45  ### Ruler
    46  
    47  The ruler S3 server-side encryption can be configured similarly to the blocks storage. The per-tenant overrides are supported when using the storage backend configurable the `-ruler-storage.` flag prefix (or their respective YAML config options).
    48  
    49  ### Alertmanager
    50  
    51  The alertmanager S3 server-side encryption can be configured similarly to the blocks storage. The per-tenant overrides are supported when using the storage backend configurable the `-alertmanager-storage.` flag prefix (or their respective YAML config options).
    52  
    53  ### Per-tenant config overrides
    54  
    55  The S3 client used by the blocks storage, ruler and alertmanager supports S3 SSE config overrides on a per-tenant basis, using the [runtime configuration file](../configuration/arguments.md#runtime-configuration-file).
    56  The following settings can ben overridden for each tenant:
    57  
    58  - **`s3_sse_type`**<br />
    59    S3 server-side encryption type. It must be set to enable the SSE config override for a given tenant.
    60  - **`s3_sse_kms_key_id`**<br />
    61    S3 server-side encryption KMS Key ID. Ignored if the SSE type override is not set or the type is not `SSE-KMS`.
    62  - **`s3_sse_kms_encryption_context`**<br />
    63    S3 server-side encryption KMS encryption context. If unset and the key ID override is set, the encryption context will not be provided to S3. Ignored if the SSE type override is not set or the type is not `SSE-KMS`.
    64  
    65  ## Other storages
    66  
    67  Other storage backends may support encryption at rest configuring it directly at the storage level.