The primary resources in AWS KMS are customer master keys (CMKs). These are either customer-managed or AWS-managed. You can use either type of CMK to protect data encryption keys (or data keys) which are then used to encrypt or decrypt content stored by Alfresco Content Services in AWS S3. CMKs never leave AWS KMS unencrypted, but data keys can.
For more details, see AWS KMS Concepts and How Envelope Encryption Works with Supported AWS Services.
To learn more about how AWS KMS uses cryptography and secures master keys, see the AWS Key Management Service Cryptographic Details whitepaper.
The S3 Connector provides the following encryption options:
|The content stored in S3 is unencrypted.
Note: Storing your content unencrypted isn't recommended.
|s3.encryption=aes256||The content store is encrypted using AWS managed encryption.|
|s3.encryption=kms||The content store is encrypted using AWS KMS managed encryption.|
For more information about each of these encryption options, see the Encryption overview.
You can configure AWS KMS by adding the relevant properties to the global properties file.
Edit alfresco-global.properties to set the server-encryption
algorithm to KMS:
If you plan to use the AWS-managed default master key then continue from step 4.
- To use a customer master key, either create a new KMS key using the AWS steps, or use a CMK by importing your existing key material.
Edit alfresco-global.properties and set the value of
s3.awsKmsKeyId property to the key alias (see example) or
the Amazon Resource Name (ARN) of the KMS key created.
You can leave the property empty in order to use the default master key attached to your account.
- You are now ready to start Alfresco Content Services.