Menu
AWS Import/Export
Developer Guide

Encrypting Your Data

For added security, AWS Import/Export supports the following data encryption methods:

PIN-code encryption

Hardware-based device encryption that uses a physical PIN pad for access to the data.

TrueCrypt software encryption

Disk encryption using TrueCrypt, which is an open-source encryption application.

For export from Amazon S3, AWS always requires data encryption, either by using a PIN-code device with hardware-based encryption or by using TrueCrypt software encryption. For added security, you can use both methods. You will need to provide the PIN or password, or both, in your manifest file.

For import jobs, we strongly recommend encrypting your data. For import to Amazon S3, you can use a PIN-code device with hardware-based encryption or TrueCrypt software to encrypt your data before sending it to AWS Import/Export. You will need to include your PIN code or TrueCrypt password in your import manifest and the TrueCrypt password in your export manifest.

For import to Amazon EBS or Amazon Glacier, you can use a PIN-code device with hardware-based encryption or any software encryption method you choose, or both. AWS uses your PIN to access a PIN-code device, but does not decrypt software-encrypted data for import to Amazon EBS or Amazon Glacier. You will need to include your PIN in your import manifest.

Using PIN-Code Device Encryption

You can supply a storage device that uses hardware-based device encryption with a physical PIN pad for all import or export jobs. If you do so, you must provide the PIN code in your manifest.

Using TrueCrypt Encryption for Import to Amazon S3

TrueCrypt is an open-source disk encryption application. TrueCrypt is the only device encryption software supported by AWS Import/Export. AWS also supports hardware-based encryption. For more information, see Encrypting Your Data.

If you have not installed TrueCrypt 7.1a, you will need to install it first.

Note

The developer no longer supports TrueCrypt 7.1a. However, you can still download TrueCrypt 7.1a and use the application without charge to decrypt your device.

To ensure that we can decrypt your device, choose the following options when creating a TrueCrypt volume:

  • Create a new TrueCrypt volume. AWS Import/Export supports only TrueCrypt volumes created as non-system partitions or encrypted file containers.

    Do not use the Encrypt the system partition or the entire system drive option.

  • Select either the Create an encrypted file container option or the Encrypt a non-system partition/drive option.

  • For Volume Type, select Standard TrueCrypt volume. Do not create a hidden volume.

  • If you are creating an encrypted file container, for Volume Location, create a file in your device's home directory and name the file <JOBID>.tc, where <JOBID> is the job ID associated with the device. For example, 1B23C.tc.

  • If you are encrypting a non-system partition, for Volume Location, select the partition to be encrypted. For Volume Creation Mode, if your volume already contains files, select Encrypt partition in place. TrueCrypt will not format the partition or erase any files. Encrypt partition in place takes longer than encrypting an empty volume. If the partition is empty, select Create encrypted volume and format it.

  • For Encryption Options, use AES for the Encryption Algorithm and RIPEMD-160 for the Hash Algorithm.

  • Create a password for your TrueCrypt volume. You will include this password in the job manifest that you create with the AWS Import/Export tool. Without this password, we won’t be able to access any data on the encrypted partition. Keep the following in mind when creating your password:

    • Don't include commas in your password.

    • Don't lose your password, or you will not be able to decrypt your device. AWS Import/Export will not send the password with the encrypted device.

  • If you are prompted to select a volume format, select NTFS.

After you create your TrueCrypt volume, use TrueCrypt to mount the volume and then copy your files into the volume. Your device must contain only one partition or container and no other files. If you use a file container, the container must be named <JOBID>.tc, using the job ID associated with the device. Copy the SIGNATURE file to the root directory of the encrypted volume.

When you complete your manifest file in preparation for submitting a job request, include the password for the trueCryptPassword option. When AWS receives your device, we will attempt to mount the device. If the volume is encrypted, we decrypt it using the password you supplied. If the volume is not encrypted, we will look for a container file named <JOBID>.tc, using the job ID associated with the device. We will decrypt the container using the password you supplied.

Following a successful import, we will erase the device and ship it to the address provided on your manifest.

If any of the following conditions occur, AWS will erase your device without performing the import and ship it to the address provided on your manifest:

  • You specified a TrueCrypt password in your manifest, but the partition is not encrypted or no encrypted container named <JOBID>.tc exists on the device.

  • More than one container exists on the device.

  • More than one partition exists on the device.

  • AWS is not able to decrypt the partition or the container.

If we are unable to erase the data on the device, we will schedule it for destruction and our support team will contact you using the email address specified in the manifest file.

Using TrueCrypt Encryption with Export from Amazon S3

When you create an Export to Amazon S3 job, you specify a PIN code or a TrueCrypt password in the export manifest. If you supply a TrueCrypt password, AWS creates a TrueCrypt encrypted volume in a file container on your device using the password you provided, and then copies the data to the container. The container is named JOBID.tc, using the job ID associated with your device.

Important

Do not lose your password, or you will not be able to decrypt your device. AWS Import/Export will not send the password with the encrypted device.

Decrypting the TrueCrypt Container

When you receive your device, you will use TrueCrypt with the password you provided with your export manifest to decrypt the container and mount the volume.

To decrypt the TrueCrypt container

  1. If you have not installed TrueCrypt 7.1a, you will need to install it first.

    Note

    The developer no longer supports TrueCrypt 7.1a. However, you can still download TrueCrypt 7.1a and use the application without charge to decrypt your device.

  2. Open TrueCrypt.

  3. Click Volume, Select File.

  4. Click the name of the TrueCrypt container file located on your device, and click Open.

  5. Click Volume, Mount Volume.

  6. Type the password from the export manifest in to the Password box and click OK.

The encrypted container is mounted as a volume on your computer.