All about Amazon EBS Volume Encryption

All about Amazon EBS Volume Encryption

EBS Volume Encryption Key Points

  • Encryption is supported by all EBS volume types.
  • Amazon EBS offers volume encryption capability.
  • The volume key is encrypted under a KMS key in your account.
  • Amazon EBS must have access to generate a volume key (VK) under a KMS key in the account. We must grant access permission for Amazon EBS to use the KMS key to create data keys and to encrypt and decrypt EBS Volumes.
  • Amazon EBS can use AWS KMS with a "KMS key" to generate KMS encrypted volume keys. Cxs aren't required to build, maintain, and secure their own key management infrastructure.
  • Amazon EBS does not support asymmetric encryption KMS keys.
    Main Difference between Asymmetric and Symmetric Encryption Types here
  • EBS encrypts your volume with a data key using the industry-standard AES-256 XTS algorithm. Your data key is stored on disk with your encrypted data, but not before EBS encrypts it with your KMS key. Your data key never appears on disk in plaintext.The same data key is shared by snapshots of the volume and any subsequent volumes created from those snapshots if the volumes are encrypted using the same KMS key as the snapshot.
  • We can manage(enable/disable) encryption by default and the default KMS key using API actions and CLI commands.

When will EBS Volume be encrypted and unencrypted during EBS Operations

When we create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted:

  • Data at rest inside the volume
  • All data moving between the volume and the instance
  • All snapshots created from the encrypted volume
  • All volumes/ami created from those snapshots

An AWSome picture representation of encrypted and unencrypted volumes during EBS Operations. Thanks to Matt Phillipy. screely-1662603985724.png

How-To Convert Unencrypted Volumes to Encrypted EBS Volumes

Step 1: On your EC2 instance with Volumes are UnEncrypted screely-1662606838438.png Step 2: Create a Snapshot from unencrypted volume. screely-1662607099712.png NOTE : It is not recommended to create Snapshot of Volume while data is being read/written on EBS storage. Reason being, While snapshot is getting created or during the creation, It would not have new data of Running EBS volume and drift will occur of data in the snapshot and new data. So better to Stop your EC2 instance before Converting Volume Encryption / snapshot operation.

Step 3: Volume Snapshots will be unencrypted since it was created from unencrypted Volumes. screely-1662607345432.png Step 4: Two Options.
1st Option: Create Encrypted Volume from a Snapshot.
Note : No Option to change Region. screely-1662608737686.png screely-1662608748729.png

Copy unencrypted Volume snapshot to an encrypted Volume snapshot.
Note : Can change the Region of Copied Snapshot. screely-1662609109106.png screely-1662609120389.png screely-1662609523707.png screely-1662609892933.png See all the Volumes attached and not attached to instances with encryption status. Go to Step 5 screely-1662610062466.png Step 5: Detach the original EBS volume and attach your new encrypted EBS volume, making sure to match the device name (/dev/xvda1, etc.) screely-1662610365954.png screely-1662610374863.png

screely-1662611165341.png Successfully running "TestVM" with attached Encrypted Volumes.

How-to TURN-ON automatic encryption of new Amazon EBS volumes and snapshot copies?

screely-1662603116477.png screely-1662603170223.png

  1. Open the Amazon EC2 console.
  2. Select the Region from the drop-down menu.
  3. On the EC2 Dashboard, under Account Attributes, select Settings.
  4. Under EBS Storage, select Always encrypt new EBS volumes.
  5. Select Change the default key and choose any of your keys (default/CMKs) as the Default encryption key.
    Select Save Settings by Update EBS Encryption.

Encryption scenarios



Thank you for reading and/or following along with the Blog.

Happy Learning.

Like and Follow for more Azure and AWS Content.

Jineshkumar Patel