I am looking for some guidance on using the KMS to encrypt. Any suggestions on how to achieve this would be very helpful.
I will explain the sequence of steps that I have followed.
Before I started the process Conjur Master is configured and it is running and the database is not encrypted (default settings).
I assigned a EC2 role to the instance to make sure it has permissions to create the the IAM roles and the keys in KMS.
I ran the command “evoke keys kms” it created a KMS key and also it created a role named conjur-appliance . It also create a encrypted key with the name kms_master_key.us-east-2.enc in /opt/conjur/etc.
From the documentation what I am not clear is that should I create master key myself using the the process explained in this bookmark
and then use the Amazon CLI to encrypt the master Key that is being created or should the evoke KMS keys will do that.
Also I am not very sure on how the Conjur Appliance role is being used. Should that be assigned to all the instances where we have Conjur HA Cluster nodes are runnning?
I am using the Docker CE and deployed Conjur appliance on Amazon Linux 2 AMI. Thank you