CPM supports custom encryption keys for DR
To support the usage of a custom encryption key for DR, you will need to perform the following:
In the account where the custom key resides:
- Go to KMS and browse to the key you wish to share.
- Go to the "Other AWS accounts" at the bottom of the page and click "Add other AWS accounts".
- Add the id of the DR account you wish to share the key with.
Go to the volume you wish to copy to DR account and/or region and add the following tag:
- The tag’s “key” = cpm_dr_encryption_key
- The tag’s “value” = The full arn of the encryption key you shared in item #1. For example- arn:aws:kms:us-east-1:123456789101:key/2eaadfb1-b630-4aef-9d90-2d0fb2061e05
- If you perform cross-region DR, you will need to have a key for each region as AWS does not allow sharing encryption keys across regions.
The tag’s “key” should include the region where the key is, for example- Ohio key tag will be: key = cpm_dr_encryption_key:us-east-2 , value = arn:aws:kms:us-east-2:123456789101:key/2eaadfb1-b630-4aef-9d90-2d0fb2061e05
If a matching encryption key is not found with an alias or with custom tags, the behaviour of the backup depends on the setting in the Encryption Key Detection list in the Security tab of the General Settings screen:
The setting options for the encryption key detection are:
- Use Default Key – If the encryption key is not matched, the default encryption key is used.
- Strict – DR encryption key must match, either with an alias or a custom tag.
- Use Default Key & Alert – Use the default key and send an alert.
For more details on this topic see this section of the CPM User Guide.
Reference feature number – N2WS-777. Added in 2.3.0d. Added RDS feature support in 2.4.0
Link to Release Notes and the latest patch –https://support.n2ws.com/portal/kb/articles/release-notes-for-the-latest-v2-4-x-cpm-release
Related Articles
DR snapshots may get encrypted with default encryption key on target region instead of custom key
This issue may occur if Encryption Keys list contains over a hundred of encryption keys. The below warning may appear in the backup log: Warning - Volume snapshot <snapshot_id> is encrypted with key from another account. Using default encryption on ...Add support for Cross account DR of RDS and Aurora snapshots which are encrypted with custom shared key
In version 2.3.0 a new feature was added- Support for Cross account DR of RDS and Aurora snapshots which are encrypted with custom encryption key. This feature was available only for EC2 resources. ...Cross-account DR may fail with the "Encrypted snapshots with EBS default key cannot be shared (OperationNotPermitted)" error
DR may fail with the "Encrypted snapshots with EBS default key cannot be shared (OperationNotPermitted)" error: Error - Volume DR copy snapshot failed for region Asia Pacific (Sydney), snapshot snap-0123456789abcdef (to DR account). Reason: Failed ...Cross account Recovery of an encrypted snapshot with shared custom encryption key may fail
Cross account recovery of an encrypted snapshot which is encrypted with a shared custom encryption key may fail when trying to recover a resource either from DR to backup account or from backup to DR account (same account recovery works). CPM server ...Cross-Region DR RDS backup may fail with "Copy failed due to an AWS limitation regarding default encryption key” error
RDS DR backup of encrypted snapshots between different regions may fail with the following error in the Backup log: Error - RDS DR, copy snapshot failed (to DR account) due to an AWS limitation regarding default encryption key (source US East (Ohio), ...