HipChat Datacenter AWS encryption at rest

Richard Chatterton November 13, 2017

We have a requirement for encryption at rest for everything we deploy in AWS, including on the root volumes for HipChat Datacenter EC2 instances. Boot/root volume encryption is typically accomplished in EC2 by creating or copying an AMI and encrypting it with your KMS key, then creating an instance from that encrypted AMI.

All of the guides and documentation I've seen so far have pointed toward using Atlassian-provided AMIs for HipChat Datacenter in AWS. These AMIs and their underlying snapshots appear to be set to not allow copying, which is the default. As a result, there's no way to copy them and encrypt them.

Does anyone have a workaround for encrypting the root volumes of HipChat Datacenter EC2 instances? Alternatively, the maintainers of the AMIs could consider opening up the permissions on the snapshots backing the AMIs to allow them to be copied.

1 comment

Avinoam
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 14, 2017

Hi Richard,

 

Thank you for your query. Encryption at rest is a feature we're currently researching. To answer your question, at this time it's not advisable to turn on the AWS built in encryption settings since those are not supported and may have performance implications in Hipchat. Encryption at rest and end-to-end is something we're currently researching to offer as a supported feature in Hipchat, in the future.

Please look at this HCPUB ticket: https://jira.atlassian.com/browse/HCPUB-1348 and I would encourage you to watch and follow it since it is where we will post upgrades, early access information and surveys. I would also encourage you to comment on the ticket with your preference as to whether you just need encryption at rest in the filesystems on the backend and/or encryption at rest on desktop/mobile? and/or also need end-to-end encryption with your keys as mentioned in the HCPUB ticket. Having that granular understanding will help deliver the right solution faster.

Thanks a lot for your time!

Avinoam

Richard Chatterton November 14, 2017

Thanks for the followup, Avinoam! I've commented on HCPUB-1348 as you suggested.

I understand that Atlassian may not be prepared to support AWS EBS volume encryption with HipChat Datacenter from a performance perspective, but this is a requirement for a number of our use cases. Even if it's not completely supported, opening up permissions on the AMIs to allow them to be copied could potentially allow us to fill these use cases. Allowing users to create their own copies of these AMIs would also allow us to deploy HipChat Datacenter in more regions than the four in which AMIs are currently provided, which is important for some of our use cases as well.

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events