HipChat Datacenter AWS encryption at rest

We have a requirement for encryption at rest for everything we deploy in AWS, including on the root volumes for HipChat Datacenter EC2 instances. Boot/root volume encryption is typically accomplished in EC2 by creating or copying an AMI and encrypting it with your KMS key, then creating an instance from that encrypted AMI.

All of the guides and documentation I've seen so far have pointed toward using Atlassian-provided AMIs for HipChat Datacenter in AWS. These AMIs and their underlying snapshots appear to be set to not allow copying, which is the default. As a result, there's no way to copy them and encrypt them.

Does anyone have a workaround for encrypting the root volumes of HipChat Datacenter EC2 instances? Alternatively, the maintainers of the AMIs could consider opening up the permissions on the snapshots backing the AMIs to allow them to be copied.

1 comment

Hi Richard,

 

Thank you for your query. Encryption at rest is a feature we're currently researching. To answer your question, at this time it's not advisable to turn on the AWS built in encryption settings since those are not supported and may have performance implications in Hipchat. Encryption at rest and end-to-end is something we're currently researching to offer as a supported feature in Hipchat, in the future.

Please look at this HCPUB ticket: https://jira.atlassian.com/browse/HCPUB-1348 and I would encourage you to watch and follow it since it is where we will post upgrades, early access information and surveys. I would also encourage you to comment on the ticket with your preference as to whether you just need encryption at rest in the filesystems on the backend and/or encryption at rest on desktop/mobile? and/or also need end-to-end encryption with your keys as mentioned in the HCPUB ticket. Having that granular understanding will help deliver the right solution faster.

Thanks a lot for your time!

Avinoam

Thanks for the followup, Avinoam! I've commented on HCPUB-1348 as you suggested.

I understand that Atlassian may not be prepared to support AWS EBS volume encryption with HipChat Datacenter from a performance perspective, but this is a requirement for a number of our use cases. Even if it's not completely supported, opening up permissions on the AMIs to allow them to be copied could potentially allow us to fill these use cases. Allowing users to create their own copies of these AMIs would also allow us to deploy HipChat Datacenter in more regions than the four in which AMIs are currently provided, which is important for some of our use cases as well.

Comment

Log in or Sign up to comment
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published Mar 26, 2018 in Hipchat Data Center

Migration of Hipchat server to Data Center - a retrospective

Background While our Hipchat server environment was reliable and performing well, as a significant and growing part of our business, the need to leverage the benefits of Hipchat Data Center&nbs...

532 views 2 7
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you