[AWS Architect] (41) EBS Encryption

EBS volume encryption uses EC2 host hardware to encrypt data at rest and in-transit between EBS and EC2 instances.


  • KMS (Key Management Service) generates a Data Encryption Key (DEK) from a Customer Master Key (CMK) in each region. A unique DEK encrypts each volume. Snapshots of that volume are encrypted with the same DEK.
  • Encrypted DEKs (stored in a volume) are decrypted by KMS using a CMK and given to the EC2 host.
  • A decrypted (text) DEK is stored in EC2 memory while it is active and used to encrypt/decrypt data. The plaintext DEK is discarded when an instance is rebooted. KMS must resend the plaintext DEK.

Use Cases

  • Case 1: Encrypting the EBS volume
    1. Select an “Encrypt” option while creating an instance.
    2. When you enable the encryption for EBS, you can override the default key and select symmetric customer-managed CMK. EBS does not support asymmetric CMKs.
    3. You can encrypt data before saving them on ESB by calling KMS API.
  • Case 2: Encrypting an unencrypted EBS volume
    1. You cannot directly enable encryption in an existing unencrypted volume.
    2. Use the Operating System level encryption such as bit locker.
    3. Take a snapshot -> create a copy with encryption
    4. If you need to use the volume as a root volume, make an AMI with an encrypted volume and deploy the AMI.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s