AWS Question - Image encryption using KMS

Hello all

When creating an image in AWS I couldn’t find a configuration option to create it encrypted using a KMS key. Is this possible?

Thanks and regards,
Ernesto Medina.

There’s no option for that today but if it’s just the image I don’t think this would be hard to put in.

That would be really practical because it simplifies the build (CI) process.

FYI - we merged initial support for toggling KMS via adding in initial KMS by eyberg · Pull Request #1555 · nanovms/ops · GitHub . You can either set it to ‘default’ to use the AWS default or give it an arn for a key.

1 Like

I tried using a “KMS” key in my config.json at the top level and within different blocks but it didn’t work. Looking forward to that documentation :slight_smile:

Thanks in advance,

The KMS key is supposed to go in the CloudConfig JSON attribute of the Ops configuration file. Example:

  "CloudConfig" : {
    "ProjectID": "my-project",
    "Zone": "ap-northeast-1a",
    "BucketName": "my-bucket",
    "Flavor": "t4g.nano",
    "EnableIPv6": true,
    "KMS": "default"

Are you using the latest Ops version 0.1.40? Or did you build Ops from source?

It’s not available for brew/mac yet.

% brew upgrade ops
Running `brew update --auto-update`...
==> Auto-updated Homebrew!
Updated 2 taps (homebrew/core and homebrew/cask).
==> New Casks
brightintosh                        hapigo                              navigraph-simlink                   vimcal
cardo-update                        navigraph-charts                    senabluetoothdevicemanager          wiso-steuer-2024

Warning: nanovms/ops/ops 0.1.39_1 already installed

Should I manually install it with curl?
Or is this something that can easily be updated on your end?


I updated it with curl and tested it, it works,

This post can be closed.

Thank you very much,

Yeh - we haven’t automated the version updating of the brew tap yet - it’s still on 0.1.39, but latest 0.1.40 will have that.