Encryption at Rest
Cortex supports data encryption at rest for some storage backends.
The Cortex S3 client supports the following server-side encryption (SSE) modes:
The blocks storage S3 server-side encryption can be configured as follows.
s3_sse_config configures the S3 server-side encryption.
sse: # Enable AWS Server Side Encryption. Supported values: SSE-KMS, SSE-S3. # CLI flag: -s3.sse.type [type: <string> | default = ""] # KMS Key ID used to encrypt objects in S3 # CLI flag: -s3.sse.kms-key-id [kms_key_id: <string> | default = ""] # KMS Encryption Context used for object encryption. It expects JSON formatted # string. # CLI flag: -s3.sse.kms-encryption-context [kms_encryption_context: <string> | default = ""]
The chunks storage S3 server-side encryption can be configured similarly to the blocks storage, but per-tenant overrides are not supported.
The ruler S3 server-side encryption can be configured similarly to the blocks storage. The per-tenant overrides are supported when using the storage backend configurable the
-ruler-storage. flag prefix (or their respective YAML config options).
Per-tenant config overrides
The S3 client used by the blocks storage and ruler supports S3 SSE config overrides on a per-tenant basis, using the runtime configuration file. The following settings can ben overridden for each tenant:
S3 server-side encryption type. It must be set to enable the SSE config override for a given tenant.
S3 server-side encryption KMS Key ID. Ignored if the SSE type override is not set or the type is not
S3 server-side encryption KMS encryption context. If unset and the key ID override is set, the encryption context will not be provided to S3. Ignored if the SSE type override is not set or the type is not
Other storage backends may support encryption at rest configuring it directly at the storage level.