Amazon EBS Encryption
Amazon EBS encryption offers you a simple encryption solution for your EBS volumes without the need for you to build, maintain, and secure your own key management infrastructure. When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted:
Data at rest inside the volume
All data moving between the volume and the instance
All snapshots created from the volume
The encryption occurs on the servers that host EC2 instances, providing encryption of data-in-transit from EC2 instances to EBS storage.
Amazon EBS encryption uses AWS Key Management Service (AWS KMS) customer master keys (CMK) when creating encrypted volumes and any snapshots created from them. The first time you create an encrypted volume in a region, a default CMK is created for you automatically. This key is used for Amazon EBS encryption unless you select a CMK that you created separately using AWS KMS. Creating your own CMK gives you more flexibility, including the ability to create, rotate, and disable keys to define access controls, and to audit the encryption keys used to protect your data. For more information, see the AWS Key Management Service Developer Guide.
This feature is supported with all EBS volume types (General Purpose SSD [
gp2], Provisioned IOPS SSD [
Throughput Optimized HDD [
st1], Cold HDD [
sc1], and Magnetic [
standard]), and you can expect the
same IOPS performance on encrypted volumes as you would with unencrypted volumes, with a
minimal effect on latency. You can access encrypted volumes the same way that you access
unencrypted volumes; encryption and decryption are handled transparently and they require no
additional action from you, your EC2 instance, or your application.
Snapshots that are taken from encrypted volumes are automatically encrypted. Volumes that are created from encrypted snapshots are also automatically encrypted. Public snapshots of encrypted volumes are not supported, but you can share an encrypted snapshot with specific accounts if you take the following steps:
Use a custom CMK, not your default CMK, to encrypt your volume.
Give the specific accounts access to the custom CMK.
Create the snapshot.
Give the specific accounts access to the snapshot.
For more information, see Sharing an Amazon EBS Snapshot.
Amazon EBS encryption is only available on certain instance types. You can attach both encrypted and unencrypted volumes to a supported instance type. For more information, see Supported Instance Types.
Encryption Key Management
Amazon EBS encryption handles key management for you. Each newly-created volume is encrypted with a unique 256-bit key; any snapshots of this volume and any subsequent volumes created from those snapshots also share that key. These keys are protected by our own key management infrastructure, which implements strong logical and physical security controls to prevent unauthorized access. Your data and associated keys are encrypted using the industry-standard AES-256 algorithm.
You cannot change the CMK that is associated with an existing snapshot or encrypted volume. However, you can associate a different CMK during a snapshot copy operation (including encrypting a copy of an unencrypted snapshot) and the resulting copied snapshot will use the new CMK.
Amazon’s overall key management infrastructure uses Federal Information Processing Standards (FIPS) 140-2 approved cryptographic algorithms and is consistent with National Institute of Standards and Technology (NIST) 800-57 recommendations.
Each AWS account has a unique master key that is stored completely separate from your data, on a system that is surrounded with strong physical and logical security controls. Each encrypted volume (and its subsequent snapshots) is encrypted with a unique volume encryption key that is then encrypted with a region-specific secure master key. The volume encryption keys are used in memory on the server that hosts your EC2 instance; they are never stored on disk in plain text.
Supported Instance Types
Amazon EBS encryption is available on the instance types listed in the table below. These instance types leverage the Intel AES New Instructions (AES-NI) instruction set to provide faster and simpler data protection. You can attach both encrypted and unencrypted volumes to these instance types simultaneously.
|Instance family||Instance types that support Amazon EBS encryption|
For more information about these instance types, see Instance Type Details.
Changing the Encryption State of Your Data
There is no direct way to encrypt an existing unencrypted volume, or to remove encryption from an encrypted volume. However, you can migrate data between encrypted and unencrypted volumes. You can also apply a new encryption status while copying a snapshot:
While copying an unencrypted snapshot of an unencrypted volume, you can encrypt the copy. Volumes restored from this encrypted copy will also be encrypted.
While copying an encrypted snapshot of an encrypted volume, you can re-encrypt the copy using a different CMK. Volumes restored from the encrypted copy will only be accessible using the newly applied CMK.
Migrate Data between Encrypted and Unencrypted Volumes
When you have access to both an encrypted and unencrypted volume, you can freely transfer data between them. EC2 carries out the encryption or decryption operations transparently.
To migrate data between encrypted and unencrypted volumes
Create your destination volume (encrypted or unencrypted, depending on your need) by following the procedures in Creating an Amazon EBS Volume.
Attach the destination volume to the instance that hosts the data to migrate. For more information, see Attaching an Amazon EBS Volume to an Instance.
Make the destination volume available by following the procedures in Making an Amazon EBS Volume Available for Use. For Linux instances, you can create a mount point at
/mnt/destinationand mount the destination volume there.
Copy the data from your source directory to the destination volume. It may be most convenient to use a bulk-copy utility for this.
Use the rsync command as follows to copy the data from your source to the destination volume. In this example, the source data is located in
/mnt/sourceand the destination volume is mounted at
sudo rsync -avh --progress
At a command prompt, use the robocopy command to copy the data from your source to the destination volume. In this example, the source data is located in
D:\and the destination volume is mounted at
E:\ /e /copyall /eta
Apply Encryption While Copying a Snapshot
Because you can apply encryption to a snapshot while copying it, another path to encrypting your data is the following procedure.
To encrypt a volume's data by means of snapshot copying
Create a snapshot of your unencrypted EBS volume. This snapshot is also unencrypted.
Copy the snapshot while applying encryption parameters. The resulting target snapshot is encrypted.
Restore the encrypted snapshot to a new volume, which is also encrypted.
For more information, see Copying an Amazon EBS Snapshot.
Re-Encrypt a Snapshot with a New CMK
The ability to encrypt a snapshot during copying also allows you to re-encrypt an already-encrypted snapshot that you own. In this operation, the plaintext of your snapshot will be encrypted using a new CMK that you provide. Volumes restored from the resulting copy will only be accessible using the new CMK.
In a related scenario, you may choose to re-encrypt a snapshot that has been shared with you. Before you can restore a volume from a shared encrypted snapshot, you must create your own copy of it. By default, the copy will be encrypted with the key shared by the snapshot's owner. However, we recommend that you re-encrypt the snapshot during the copy process with a different key that you control. This protects your access to the volume if the original key is compromised, or if the owner revokes the key for any reason.
The following procedure demonstrates how to re-encrypt a snapshot that you own.
To re-encrypt a snapshot using the console
Create a custom CMK. For more information, see AWS Key Management Service Developer Guide.
Create an EBS volume encrypted with (for this example) your default CMK.
Create a snapshot of your encrypted EBS volume. This snapshot is also encrypted with your default CMK.
On the Snapshots page, choose Actions, then choose Copy.
In the Copy Snapshot window, supply the complete ARN for your custom CMK (in the form arn:aws:kms:<i>us-east-1</i>:<i>012345678910</i>:key/<i>abcd1234-a123-456a-a12b-a123b4cd56ef</i>) in the Master Key field, or choose it from the menu. Click Copy.
The resulting copy of the snapshot—and all volumes restored from it—will be encrypted with your custom CMK.
The following procedure demonstrates how to re-encrypt a shared encrypted snapshot as you copy it. For this to work, you need access permissions to both the shared encrypted snapshot and to the CMK that encrypted it.
To copy and re-encrypt a shared snapshot using the console
Choose the shared encrypted snapshot on the Snapshots page, choose Actions, then choose Copy.
In the Copy Snapshot window, supply the complete ARN for a CMK that you own (in the form arn:aws:kms:<i>us-east-1</i>:<i>012345678910</i>:key/<i>abcd1234-a123-456a-a12b-a123b4cd56ef</i>) in the Master Key field, or choose it from the menu. Click Copy.
The resulting copy of the snapshot—and all volumes restored from it—will be encrypted with the CMK that you supplied. Changes to the original shared snapshot, its encryption status, or the shared CMK will have no effect on your copy.
For more information, see Copying an Amazon EBS Snapshot.