To protect sensitive data, you can encrypt Teradata data volumes by setting the EBS Encryption parameter when deploying a Teradata ecosystem or deploying Teradata Database separately. EBS Encryption uses a default customer master key (CMK) to encrypt data volumes when using either deployment.
You can also encrypt the root disk by setting the Root Disk Encryption parameter when deploying a Teradata ecosystem or deploying Teradata Database separately. Root Disk Encryption uses a default CMK to encrypt the root volume when using either deployment.
Encryption of Teradata data volumes and the root disk is supported only for m4 instance types for the Base, Advanced, and Enterprise tiers.
If you create and manage a CMK using the AWS Key Management Service or bring your own encryption keys, Teradata refers to these as non-default CMKs. To encrypt the the data volumes or root disk using a non-default CMK, a custom CMK encryption AWS CloudFormation template is required, but is not available on the AWS Marketplace. Due to the complexity of this process, you must contact Teradata Professional Services to schedule an appointment so they can provide the template and assistance.
If a node fails, the replacement node inherits the encryption setting of the failed node.
If you are unfolding, the new nodes inherit the encryption setting.
If you deploy AWS systems using AWS Marketplace products with multiple AWS accounts, the custom CMK encryption AWS CloudFormation template needs modifications. You must contact Teradata Professional Services.