Amazon Redshift will no longer support the creation of new Python UDFs starting Patch 198. Existing Python UDFs will continue to function until June 30, 2026. For more information, see the [ blog post ](https://amazonaws-china.com/blogs/big-data/amazon-redshift-python-user-defined-functions-will-reach-end-of-support-after-june-30-2026/). 

# Changing cluster encryption
<a name="changing-cluster-encryption"></a>

You can modify an unencrypted cluster to use Amazon Key Management Service (Amazon KMS) encryption using either an Amazon-owned key or a customer managed key. When you modify your cluster to enable Amazon KMS encryption, Amazon Redshift automatically migrates your data to a new encrypted cluster. You can also migrate an encrypted cluster to an unencrypted cluster by modifying the cluster with the Amazon CLI, but not with the Amazon Web Services Management Console.

During the migration operation, your cluster is available in read-only mode, and the cluster status appears as **resizing**. 

If your cluster is configured to enable cross-Amazon Region snapshot copy, you must disable it before changing encryption. For more information, see [Copying a snapshot to another Amazon Region](cross-region-snapshot-copy.md) and [Configuring cross-Region snapshot copy for an Amazon KMS–encrypted cluster](xregioncopy-kms-encrypted-snapshot.md). You can't enable hardware security module (HSM) encryption by modifying the cluster. Instead, create a new, HSM-encrypted cluster and migrate your data to the new cluster. For more information, see [Migrating to an HSM-encrypted cluster](migrating-to-an-encrypted-cluster.md). 

------
#### [ Amazon Redshift console ]

1. Sign in to the Amazon Web Services Management Console and open the Amazon Redshift console at [https://console.amazonaws.cn/redshiftv2/](https://console.amazonaws.cn/redshiftv2/).

1. On the navigation menu, choose **Clusters**, then choose the cluster that you want to modify encryption.

1. Choose **Properties**.

1. In the **Database configurations** section, choose **Edit**, then choose **Edit encryption**. 

1. Choose one of the encryption options and choose **Save changes**.

------
#### [ Amazon CLI ]

To modify your unencrypted cluster to use Amazon KMS, run the `modify-cluster` CLI command and specify `–-encrypted`, as shown following. By default, your default KMS key is used. To specify a customer managed key, include the `--kms-key-id` option.

```
aws redshift modify-cluster --cluster-identifier <value> --encrypted --kms-key-id <value>
```

To remove encryption from your cluster, run the following CLI command.

```
aws redshift modify-cluster --cluster-identifier <value> --no-encrypted
```

------