Encryption at Rest
Cortex supports data encryption at rest for some storage backends.
S3
The Cortex S3 client supports the following server-side encryption (SSE) modes:
Blocks storage
The blocks storage S3 server-side encryption can be configured as follows.
s3_sse_config
The s3_sse_config
configures the S3 server-side encryption.
sse:
# Enable AWS Server Side Encryption. Supported values: SSE-KMS, SSE-S3.
# CLI flag: -<prefix>.s3.sse.type
[type: <string> | default = ""]
# KMS Key ID used to encrypt objects in S3
# CLI flag: -<prefix>.s3.sse.kms-key-id
[kms_key_id: <string> | default = ""]
# KMS Encryption Context used for object encryption. It expects JSON formatted
# string.
# CLI flag: -<prefix>.s3.sse.kms-encryption-context
[kms_encryption_context: <string> | default = ""]
Ruler
The ruler S3 server-side encryption can be configured similarly to the blocks storage. The per-tenant overrides are supported when using the storage backend configurable the -ruler-storage.
flag prefix (or their respective YAML config options).
Alertmanager
The alertmanager S3 server-side encryption can be configured similarly to the blocks storage. The per-tenant overrides are supported when using the storage backend configurable the -alertmanager-storage.
flag prefix (or their respective YAML config options).
Per-tenant config overrides
The S3 client used by the blocks storage, ruler and alertmanager supports S3 SSE config overrides on a per-tenant basis, using the runtime configuration file. The following settings can ben overridden for each tenant:
s3_sse_type
S3 server-side encryption type. It must be set to enable the SSE config override for a given tenant.s3_sse_kms_key_id
S3 server-side encryption KMS Key ID. Ignored if the SSE type override is not set or the type is notSSE-KMS
.s3_sse_kms_encryption_context
S3 server-side encryption KMS encryption context. If unset and the key ID override is set, the encryption context will not be provided to S3. Ignored if the SSE type override is not set or the type is notSSE-KMS
.
Other storages
Other storage backends may support encryption at rest configuring it directly at the storage level.