It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

HipChat Datacenter AWS encryption at rest

Richard Chatterton Nov 13, 2017

We have a requirement for encryption at rest for everything we deploy in AWS, including on the root volumes for HipChat Datacenter EC2 instances. Boot/root volume encryption is typically accomplished in EC2 by creating or copying an AMI and encrypting it with your KMS key, then creating an instance from that encrypted AMI.

All of the guides and documentation I've seen so far have pointed toward using Atlassian-provided AMIs for HipChat Datacenter in AWS. These AMIs and their underlying snapshots appear to be set to not allow copying, which is the default. As a result, there's no way to copy them and encrypt them.

Does anyone have a workaround for encrypting the root volumes of HipChat Datacenter EC2 instances? Alternatively, the maintainers of the AMIs could consider opening up the permissions on the snapshots backing the AMIs to allow them to be copied.

1 comment

Avinoam Zelenko Atlassian Team Nov 14, 2017

Hi Richard,

 

Thank you for your query. Encryption at rest is a feature we're currently researching. To answer your question, at this time it's not advisable to turn on the AWS built in encryption settings since those are not supported and may have performance implications in Hipchat. Encryption at rest and end-to-end is something we're currently researching to offer as a supported feature in Hipchat, in the future.

Please look at this HCPUB ticket: https://jira.atlassian.com/browse/HCPUB-1348 and I would encourage you to watch and follow it since it is where we will post upgrades, early access information and surveys. I would also encourage you to comment on the ticket with your preference as to whether you just need encryption at rest in the filesystems on the backend and/or encryption at rest on desktop/mobile? and/or also need end-to-end encryption with your keys as mentioned in the HCPUB ticket. Having that granular understanding will help deliver the right solution faster.

Thanks a lot for your time!

Avinoam

Richard Chatterton Nov 14, 2017

Thanks for the followup, Avinoam! I've commented on HCPUB-1348 as you suggested.

I understand that Atlassian may not be prepared to support AWS EBS volume encryption with HipChat Datacenter from a performance perspective, but this is a requirement for a number of our use cases. Even if it's not completely supported, opening up permissions on the AMIs to allow them to be copied could potentially allow us to fill these use cases. Allowing users to create their own copies of these AMIs would also allow us to deploy HipChat Datacenter in more regions than the four in which AMIs are currently provided, which is important for some of our use cases as well.

Comment

Log in or Sign up to comment
Community showcase
Published in Next-gen

Introducing subtasks for breaking down work in next-gen projects

Teams break work down in order to help simplify complex tasks. This is often done iteratively, with tasks being broken down into smaller tasks and so on until the work is accurately captured in well-...

920 views 12 15
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you