EBS volume encryption uses EC2 host hardware to encrypt data at rest and in-transit between EBS and EC2 instances.
- KMS (Key Management Service) generates a Data Encryption Key (DEK) from a Customer Master Key (CMK) in each region. A unique DEK encrypts each volume. Snapshots of that volume are encrypted with the same DEK.
- Encrypted DEKs (stored in a volume) are decrypted by KMS using a CMK and given to the EC2 host.
- A decrypted (text) DEK is stored in EC2 memory while it is active and used to encrypt/decrypt data. The plaintext DEK is discarded when an instance is rebooted. KMS must resend the plaintext DEK.
- Case 1: Encrypting the EBS volume
- Select an “Encrypt” option while creating an instance.
- When you enable the encryption for EBS, you can override the default key and select symmetric customer-managed CMK. EBS does not support asymmetric CMKs.
- You can encrypt data before saving them on ESB by calling KMS API.
- Case 2: Encrypting an unencrypted EBS volume
- You cannot directly enable encryption in an existing unencrypted volume.
- Use the Operating System level encryption such as bit locker.
- Take a snapshot -> create a copy with encryption
- If you need to use the volume as a root volume, make an AMI with an encrypted volume and deploy the AMI.