Encrypting Amazon EBS Volumes

  • by Emre Yilmaz
  • Dec 4, 2018
  • AWS, DevOps
  • Istanbul
Encrypting Amazon EBS Volumes

Today, encrypting data at rest is crucial for enhancing security of our applications. Besides, it might be a requirement for your compliance regulations. Whatever the reason is, it is a best practice to encrypt your Amazon Elastic Block Storage (EBS) volumes. In this post, I will show you how to encrypt an Amazon EBS volume using its integration with Amazon Key Management Service (KMS).

What is Amazon KMS?

Amazon EBS is integrated with Amazon KMS to provide encryption. Without KMS, you would need a key management infrastructure to keep your encryption keys safe and use them efficiently. Amazon KMS provides these features out of the box as a managed service.

On Amazon KMS, the encryption keys or called Customer Master Keys (CMKs) and there are three types of CMKs:

  • Customer Managed CMKs: These are CMKs that you created directly using Amazon KMS. You own, manage them and have full control. These keys can incur monthly costs when usage exceeds free tier and they are subject to account limits.

  • AWS managed CMKs: These are CMKs created by AWS services integrated with KMS on your behalf and we will use one of them in this post. You can view these keys, but you cannot manage them. The AWS service created it handles the management. These keys do not have monthly fees, but they can have usage fees according to AWS services that make use of them. They are not counted againts your limit for KMS keys in the region as well.

  • AWS owned CMKS: These CMKs are owned and managed by AWS. They can be used by AWS services to protect your data and they are not subject to KMS costs or limits.

Amazon EBS creates an AWS-managed CMK automatically when you encrypt a volume. You can use this CMK or create a customer-managed CMK to use in the encryption process. Now, let’s continue with EBS encryption.

Amazon EBS Encryption Concepts

When you encrypt an EBS volume, all these resources are encrypted as well:

  • As you would expect, data at rest inside the volume is encrypted.

  • When you attach this EBS volume to an EC2 instance, all communication between that instance and EBS volume is encrypted.

  • When you create a snapshot from an EBS volume, the snapshot is also encrypted.

  • When you create a volume from an encrypted snapshot, the new volume is also encrypted.

All current EBS types supports encryption. But, only certain EC2 instance types support encrypted EBS volumes. However, I can say that the most of the latest instance types support them such as t2, m4, m5, etc.

Creating Encrypted EBS Volumes

There are two ways of creating an encrypted EBS volume: Either you will enable encryption when creating it or you will create it from an encrypted snapshot.

Creating an encrypted EBS volume from scratch

You can choose to encrypt an EBS volume during EBS volume creation on Amazon EC2 Management Console. As you can see below, there is an option for encryption as below.

Creating an EBS volume

When you select Encrypt this volume option, a select box appears which displays CMKs available that can be used in this encryption. As you can see, Amazon EBS has created one for me as an AWS-managed CMK.

Enabling encryption while creating an EBS volume 1

After you select the key, the details about it displayed below the selection.

Enabling encryption while creating an EBS volume 2

After creating the volume you can access encryption information from the description panel. As you can see below, KMS Key ID, aliases (which would be also aws/ebs if you select AWS-managed key) and its Key ARN.

Displaying encryption details of an EBS volume

You can also view the encryption information on the list if you scroll right.

Displaying encryption of an EBS volume list

Creating snapshots from an encrypted EBS volume

When you create a snapshot from an encrypted EBS volume, it is automatically encrypted. On snapshot creation, you can display this information as below.

Creating snapshots from an encrypted EBS Volume

However,if you create a snapshot from an unencrypted volume, this time encryption information is Not encrypted.

Creating snapshots from an unencrypted EBS Volume

After creating an encrypted snapshot, you can view the encryption details from the description panel similar to the EBS volume it was created from.

Displaying encryption details of an EBS snapshot

Creating an encrypted EBS volume from an encrypted EBS snapshot

It is simple to create an encrypted snapshot from an encrypted EBS volume. In contrast to creating an EBS volume from scratch, this time nor you can select whether it will be encrypted not you can change the encryption key. It gets the encryption details from the snapshot. As you can see, you cannot create an unencrypted volume from an encrypted snapshot.

Creating an EBS volume from an encrypted EBS snapshot

Similarly, you cannot create an encrypted volume from an unencrypted EBS snapshot directly. As you can see below, it is decided as Not encrypted when you try to do so.

Creating an EBS volume from an unencrypted EBS snapshot

Creating an encrypted EBS volume from an unencrypted one

You cannot encrypt an unencrypted volume after creating it. However, you can create a new encrypted one from it. There is no direct way to achieve this. You need to create a snapshot which will be unencrypted as we discussed above and create an encrypted snapshot from this unencrypted snapshot by copying it.

When you try to copy an unencrypted snapshot, you will see an encryption option as below.

Copying an unencrypted EBS snapshot

Similar to creating a new EBS volume, when you select Encrypt this snapshot, a list for existing CMKs will be displayed.

Creating an encrypted snapshot from an unencrypted one

After creating your encrypted snapshot, you can use it to create an encrypted EBS volume using the same steps we discussed earlier.

How about creating an unencrypted volume from an encrypted one?

You cannot remove encryption from an encrypted snapshot by copying it and you cannot create an unencrypted volume from an encrypted one. The only way is mounting both encrypted and unencrypted volumes on an EC2 instance and copying the data between them using tools like rsync.

Conclusion

Encrypting data at rest is simple on AWS when using Amazon EBS volumes and it is a best practice. There is practically no downside in terms of performance and it will obviously enhance your applications’ security even if you use them only in private subnets. Hence, it is time to start encrypting your volumes if you have not done this yet.

Creating an encrypted AMI is mostly similar to enabling encryption on EBS volumes. However, we can also take a look at it in the following blog posts.

Thanks for reading!

References

...

CEO @ Shikisoft

AWS Certified Solutions Architect & DevOps Engineer - Professional

Follow