Encrypting Grafana Mimir data at rest
Grafana Mimir supports encrypting data at rest in object storage using server-side encryption (SSE). Configuration of SSE depends on your storage backend.
Google Cloud Storage
Google Cloud Storage (GCS) encrypts data before writing it to disk. SSE is enabled by default and you cannot turn it off. For more information about GCS encryption at rest, refer to Data encryption options. Grafana Mimir requires no additional configuration to use GCS with SSE.
Configuring SSE with AWS S3 requires configuration in the Grafana Mimir S3 client.
The S3 client is only used when the storage backend is
Grafana Mimir supports the following AWS S3 SSE modes:
- Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
- Server-Side Encryption with KMS keys Stored in AWS Key Management Service (SSE-KMS)
You can configure AWS S3 SSE globally or for specific tenants.
Configuring AWS S3 SSE globally
Configuring AWS S3 SSE globally requires setting SSE for each of the following storage backends:
For more information about AWS S3 SSE configuration parameters, refer to s3_storage_backend.
The following code sample shows a snippet of a Grafana Mimir configuration file with every backend storage configured to use AWS S3 SSE with and Amazon S3-managed key.
alertmanager_storage: backend: "s3" s3: sse: type: "SSE-S3" blocks_storage: backend: "s3" s3: sse: type: "SSE-S3" ruler_storage: backend: "s3" s3: sse: type: "SSE-S3"
Configuring AWS S3 SSE for a specific tenant
You can use the following settings to override AWS S3 SSE for each tenant:
S3 server-side encryption type. This setting must be applied to enable the SSE configuration override for a given tenant.
S3 server-side encryption KMS Key ID. This setting is ignored if the SSE type override is not set or the type is not
S3 server-side encryption KMS encryption context. If this setting is not applied, and the key ID override is set, the encryption context is not be provided to S3. This setting is ignored if the SSE type override is not set or the type is not
To configure AWS S3 SSE for a specific tenant:
Ensure Grafana Mimir uses a runtime configuration file by verifying that the flag
-runtime-config.fileis set to a non-null value. For more information about supported runtime configuration parameters, refer to Runtime configuration.
In the runtime configuration file, apply the
A partial runtime configuration file that has AWS S3 SSE with Amazon S3-managed keys set for a tenant called “tenant-a” appears as follows:
overrides: "tenant-a": s3_sse_type: "SSE-S3"
Save and deploy the runtime configuration file.
-runtime-config.reload-periodhas elapsed, components reload the runtime configuration file and use the updated configuration.
Other storage backends might support encryption at rest if it is configured at the storage level.