Connections > Amazon Redshift V2 connection properties > Enable encryption
  

Enable encryption

You can enable client-side and server-side encryption in the Amazon Redshift V2 connection for staging data in Amazon S3.
Complete the prerequisites based on the type of encryption that you want to configure in the Amazon Redshift V2 connection.
Client-side encryption
Client-side encryption requires a 256-bit AES encryption key in the Base64 format. You can generate a key using a third-party tool.
Specify the key value in the Master Symmetric Key field when you create an Amazon Redshift V2 connection.
Server-side encryption
To enable server-side encryption, create an AWS Key Management Service (AWS KMS)-managed customer master key.
Generate the customer master key ID for the same region where your Amazon S3 staging bucket resides. For more information about generating a customer master key, see the AWS documentation.
To enable encryption with the customer master key, you need to create a minimal KMS policy. You can specify the customer master key ID when you create an Amazon Redshift V2 connection.
Note: You cannot configure server-side encryption with the master symmetric key and client-side encryption with the customer master key.

Create a minimal policy for using AWS KMS

To use the AWS Key Management Service (AWS KMS)-managed customer master key and enable the encryption with KMS, you must create a KMS policy.
You can perform the following operations to enable encryption with KMS:
Sample policy:
{
"Version":"2012-10-17",
"Statement":[
{ "Effect":"Allow",
"Action":
[ "kms:GenerateDataKey", "kms:DescribeKey", "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*" ],
"Resource": ["arn:aws:kms:region:account:key/<KMS_key>"]
}
]
}
When you configure KMS and access an Amazon S3 endpoint in the China region, use the following sample policy:
{
"Version":"2012-10-17",
"Statement":[
{ "Effect":"Allow",
"Action":[ "kms:GenerateDataKey", "kms:DescribeKey", "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*" ],
"Resource": ["arn:aws-cn:kms:region:account:key/<KMS_key>"]
}
]
}