Amazon Elastic Compute Cloud
User Guide for Linux Instances

Amazon EBS Encryption

Amazon EBS encryption offers a straight-forward encryption solution for your EBS volumes that doesn't require you to build, maintain, and secure your own key management infrastructure. It uses AWS Key Management Service (AWS KMS) customer master keys (CMKs) when creating encrypted volumes and snapshots. For more information, see Customer Master Keys (CMK) in the AWS Key Management Service Developer Guide.

When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted:

  • Data at rest inside the volume

  • All data moving between the volume and the instance

  • All snapshots created from the volume

  • All volumes created from those snapshots

Encryption operations occur on the servers that host EC2 instances, ensuring the security of both data-at-rest and data-in-transit between an instance and its attached EBS storage.

You can encrypt both the boot and data volumes of an EC2 instance.

Encryption is supported by all EBS volume types (General Purpose SSD [gp2], Provisioned IOPS SSD [io1], Throughput Optimized HDD [st1], Cold HDD [sc1], and Magnetic [standard]). You can expect the same IOPS performance on encrypted volumes as on unencrypted volumes, with a minimal effect on latency. You can access encrypted volumes the same way that you access unencrypted volumes. Encryption and decryption are handled transparently and they require no additional action from you or your applications.

Amazon EBS encryption is available only on certain instance types. You can attach both encrypted and unencrypted volumes to a supported instance type. For more information, see Supported Instance Types.

Public snapshots of encrypted volumes are not supported, but you can share an encrypted snapshot with specific accounts. For more information about sharing encrypted snapshots, see Sharing an Amazon EBS Snapshot.

Encryption by Default

You can configure your AWS account to enforce the encryption of your EBS volumes and snapshots. Activating encryption by default has two effects:

  • AWS encrypts new EBS volumes on launch.

  • AWS encrypts new copies of unencrypted snapshots.

Encryption by default is a Region-specific setting. If you enable it for a Region, you cannot disable it for individual volumes or snapshots in that Region.

Newly created EBS resources are encrypted by your account's default customer master key (CMK) unless you specify a customer managed CMK in the EC2 settings or at launch. For more information, see Encryption Key Management.

Encryption by default has no effect on existing EBS volumes or snapshots, but when you copy unencrypted snapshots, or restore unencrypted volumes, the resulting snapshots or volumes are encrypted. For examples of transitioning from unencrypted to encrypted EBS resources, see Encrypting Unencrypted Resources.

When you enable encryption by default, you can launch an Amazon EC2 instance only if the instance type supports EBS encryption. For more information, see Supported Instance Types.

To enable encryption by default for a Region

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. From the navigation bar, select the Region.

  3. Choose Account Attributes, Settings.

  4. Under EBS Storage, select Always encrypt new EBS volumes.

  5. Choose Update.

Encryption Key Management

Amazon EBS creates a unique AWS managed CMK, with the alias alias/aws/ebs, automatically in each Region where you store AWS resources. By default, Amazon EBS uses this key for encryption. Alternatively, you can specify a customer managed CMK that you created as the default key for encryption.

Note

Creating your own CMK gives you more flexibility, including the ability to create, rotate, and disable keys to define access controls.

You cannot change the CMK that is associated with an existing snapshot or encrypted volume. However, you can associate a different CMK during a snapshot copy operation so that the resulting copied snapshot is encrypted by the new CMK.

EBS encrypts your volume with a data key using the industry-standard AES-256 algorithm. Your data key is stored on-disk with your encrypted data, but not before EBS encrypts it with your CMK; it never appears on disk in plaintext. The same data key is shared by snapshots of the volume and any subsequent volumes created from those snapshots. For more information, see Data Keys in the AWS Key Management Service Developer Guide.

Prerequisite

When you configure a CMK as the default for EBS encryption, you must also give your users access to a KMS key policy that allows the CMK to be used to launch instances, create volumes, copy snapshots, and copy images. These permissions include the following: GenerateDataKeyWithoutPlainText, Reencrypt*, CreateGrant, DescribeKey, and Decrypt. For more information, see Authentication and Access Control for AWS KMS and How Amazon Elastic Block Store (Amazon EBS) Uses AWS KMS.

To configure the default CMK for EBS encryption for a Region

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. From the navigation bar, select the Region.

  3. Choose Account Attributes, Settings.

  4. Choose Change the default key and then choose an available key.

  5. Choose Update.

For more information about key management and key access permissions, see How Amazon Elastic Block Store (Amazon EBS) Uses AWS KMS and Authentication and Access Control for AWS KMS in the AWS Key Management Service Developer Guide.

Setting Encryption and Key Defaults Using the API and CLI

You can manage encryption by default and the default customer master key (CMK) using the following API actions and CLI commands.

API action CLI command Description

DisableEbsEncryptionByDefault

disable-ebs-encryption-by-default

Disables encryption by default.

EnableEbsEncryptionByDefault

enable-ebs-encryption-by-default

Enables encryption by default.

GetEbsDefaultKmsKeyId

get-ebs-default-kms-key-id

Describes the default CMK.

GetEbsEncryptionByDefault

get-ebs-encryption-by-default

Indicates whether encryption by default is enabled.

ModifyEbsDefaultKmsKeyId

modify-ebs-default-kms-key-id

Changes the default CMK used to encrypt EBS volumes.

ResetEbsDefaultKmsKeyId

reset-ebs-default-kms-key-id

Resets the AWS managed default CMK as the default CMK used to encrypt EBS volumes.

Supported Instance Types

Amazon EBS encryption is available on the instance types listed below. You can attach both encrypted and unencrypted volumes to these instance types simultaneously.

  • General purpose: A1, M3, M4, M5, M5a, M5ad, M5d, T2, T3, and T3a

  • Compute optimized: C3, C4, C5, C5d, and C5n

  • Memory optimized: cr1.8xlarge, R3, R4, R5, R5a, R5ad, R5d, X1, X1e, and z1d

  • Storage optimized: D2, h1.2xlarge, h1.4xlarge, I2, and I3

  • Accelerated computing: F1, G2, G3, P2, and P3

  • Bare metal: i3.metal, m5.metal, m5d.metal, r5.metal, r5d.metal, u-6tb1.metal, u-9tb1.metal, u-12tb1.metal, and z1d.metal

Using Encryption Parameters with EBS Volumes

You apply encryption to EBS volumes by setting the Encrypted parameter to true. (The Encrypted parameter is optional if encryption by default is enabled).

Optionally, you can use KmsKeyId to specify a custom key to use to encrypt the volume. (The Encrypted parameter must also be set to true, even if encryption by default is enabled.) If KmsKeyId is not specified, the key that is used for encryption depends on the encryption state of the source snapshot and its ownership. The following table describes the encryption outcome for each possible combination of settings.

Encryption Outcomes

Is Encrypted parameter set? Is encryption by default set? Source of volume Default (no CMK specified) Custom (CMK specified)
No No New (empty) volume Unencrypted N/A
No No Unencrypted snapshot that you own Unencrypted
No No Encrypted snapshot that you own Encrypted by same key
No No Unencrypted snapshot that is shared with you Unencrypted
No No Encrypted snapshot that is shared with you Encrypted by default CMK*
Yes No New volume Encrypted by default CMK Encrypted by a specified CMK**
Yes No Unencrypted snapshot that you own Encrypted by default CMK
Yes No Encrypted snapshot that you own Encrypted by same key
Yes No Unencrypted snapshot that is shared with you Encrypted by default CMK
Yes No Encrypted snapshot that is shared with you Encrypted by default CMK
No Yes New (empty) volume Encrypted by default CMK
No Yes Unencrypted snapshot that you own Encrypted by default CMK N/A
No Yes Encrypted snapshot that you own Encrypted by same key
No Yes Unencrypted snapshot that is shared with you Encrypted by default CMK
No Yes Encrypted snapshot that is shared with you Encrypted by default CMK
Yes Yes New volume Encrypted by default CMK Encrypted by a specified CMK
Yes Yes Unencrypted snapshot that you own Encrypted by default CMK
Yes Yes Encrypted snapshot that you own Encrypted by same key
Yes Yes Unencrypted snapshot that is shared with you Encrypted by default CMK
Yes Yes Encrypted snapshot that is shared with you Encrypted by default CMK

* This is the default CMK used for EBS encryption for the AWS account and Region. By default this is a unique AWS managed CMK for EBS, or you can specify a customer managed CMK. For more information, see Encryption Key Management.

** This is a customer managed CMK specified for the volume at launch time. This CMK is used instead of the default CMK for the AWS account and Region.

Creating New Empty Volumes with Encryption

When you create a new, empty EBS volume, you can encrypt it to your default CMK by setting the Encrypted flag. To encrypt the volume to a customer managed CMK, you must provide a value for KmsKeyId as well. The volume is encrypted from the time it is first available, so your data is always secured. For detailed procedures, see Creating an Amazon EBS Volume.

By default, the same CMK that you selected when creating the volume encrypts the snapshots that you make from it and the volumes that you restore from those snapshots. You cannot remove encryption from an encrypted volume or snapshot, which means that a volume restored from an encrypted snapshot, or a copy of an encrypted snapshot, is always encrypted.

Encrypting Unencrypted Resources

Although there is no direct way to encrypt an existing unencrypted volume or snapshot, you can encrypt existing unencrypted data by using either the CreateVolume or CopySnapshot action. If you have enabled encryption by default, AWS enforces encryption of the resulting new volume or snapshot using your default CMK. Even if you have not enabled encryption by default, you can supply encryption parameters with CreateVolume or CopySnapshot to encrypt resources individually. In either case, you can override encryption defaults to apply a customer managed CMK. All of the actions shown can be performed with the EC2 console, AWS CLI, or AWS API. For more information, see Creating an Amazon EBS Volume and Copying an Amazon EBS Snapshot.

The following examples illustrate how these actions and the encryption parameters can be used to manage the encryption of your volumes and snapshots. For a full list of encryption cases, see the encryption outcomes table.

Restore an Unencrypted Volume (Encryption by Default Not Enabled)

Without encryption by default enabled, a volume restored from an unencrypted snapshot is unencrypted by default. However, you can encrypt the resulting volume by setting the Encrypted parameter and, optionally, the KmsKeyId parameter. The following diagram illustrates the process.

If you leave out the KmsKeyId parameter, the resulting volume is encrypted your default CMK. You must supply a key ID to encrypt the volume to a different CMK.

For more information, see Restoring an Amazon EBS Volume from a Snapshot.

Restore an Unencrypted Volume (Encryption by Default Enabled)

When you have enabled encryption by default, encryption is mandatory for volumes restored from unencrypted snapshots, and no encryption parameters are required for your default CMK to be used. The following diagram shows this simple default case:

If you want to encrypt the restored volume to a customer managed CMK, you must supply both the Encrypted and KmsKeyId parameters as shown in Restore an Unencrypted Volume (Encryption by Default Not Enabled).

Copy an Unencrypted Snapshot (Encryption by Default Not Enabled)

Without encryption by default enabled, a copy of an unencrypted snapshot is unencrypted by default. However, you can encrypt the resulting snapshot by setting the Encrypted parameter and, optionally, the KmsKeyId parameter. The following diagram illustrates the process.


                        Create an encrypted snapshot from an unencrypted snapshot.

Note

If you copy a snapshot and encrypt it to a new CMK, a complete (non-incremental) copy is always created, resulting in additional delay and storage costs.

If you leave out the KmsKeyId parameter, the resulting snapshot is encrypted by your default CMK. You must supply a key ID to encrypt the volume to a different CMK.

To encrypt a volume's data by means of snapshot copying

  1. Copy the snapshot while applying encryption parameters. If you leave out the KmsKeyId parameter, the resulting snapshot is encrypted by your default CMK. You can optionally include a key ID to encrypt the snapshot to a different CMK.

  2. Restore the encrypted snapshot to a new volume, which is also encrypted.

For more information, see Copying an Amazon EBS Snapshot.

Copy an Unencrypted Snapshot (Encryption by Default Enabled)

When you have enabled encryption by default, encryption is mandatory for copies of unencrypted snapshots, and no encryption parameters are required if your default CMK is used. The following diagram shows this simple default case:


                        Create an encrypted snapshot from an unencrypted snapshot.

Note

If you copy a snapshot and encrypt it to a new CMK, a complete (non-incremental) copy is always created, resulting in additional delay and storage costs.

To encrypt the snapshot copy to a customer managed CMK, you must supply both the Encrypted and KmsKeyId parameters as shown in Copy an Unencrypted Snapshot (Encryption by Default Not Enabled) .

Re-Encrypting Resources to a New CMK

The following examples describe how to re-encrypt encrypted EBS resources to a different CMK.

Re-Encrypt an Encrypted Volume

When the CreateVolume action operates on an encrypted snapshot, you have the option of re-encrypting it with a different CMK. The following diagram illustrates the process. You own two CMKs, CMK A and CMK B. The source snapshot is encrypted by CMK A. During volume creation, with the key ID of CMK B supplied as a parameter, the source data is automatically decrypted, then re-encrypted by CMK B.


                        Copy an encrypted snapshot and encrypt the copy to a new
                            key.

Note

If you copy a snapshot and encrypt it to a new CMK, a complete (non-incremental) copy is always created, resulting in additional delay and storage costs.

For more information, see Restoring an Amazon EBS Volume from a Snapshot.

Re-Encrypt an Encrypted Snapshot

The ability to encrypt a snapshot during copying allows you to apply a new CMK to an already-encrypted snapshot that you own. Volumes restored from the resulting copy are only accessible using the new CMK. The following diagram illustrates the process. You own two CMKs, CMK A and CMK B. The source snapshot is encrypted by CMK A. During copy, with the key ID of CMK B supplied as a parameter, the source data is automatically re-encrypted by CMK B.


                        Copy an encrypted snapshot and encrypt the copy to a new
                            key.

Note

If you copy a snapshot and encrypt it to a new CMK, a complete (non-incremental) copy is always created, resulting in additional delay and storage costs.

In a related scenario, you can choose to apply new encryption parameters to a copy of a snapshot that has been shared with you. By default, the copy is encrypted with a CMK shared by the snapshot's owner. However, we recommend that you create a copy of the shared snapshot using a different CMK that you control. This protects your access to the volume if the original CMK is compromised, or if the owner revokes the CMK for any reason.

The following procedure demonstrates how to create a copy of a shared snapshot to a customer managed CMK that you own. It assumes that you have previously created a customer managed CMK, and that you have a snapshot that has been encrypted by your default CMK. For more information, see AWS Key Management Service Developer Guide.

To copy a snapshot that you own to a new customer managed CMK using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. On the Snapshots page, select your snapshot, then choose Actions, Copy.

  3. In the Copy Snapshot window, supply the complete ARN for your customer managed CMK (in the form arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef) in the Master Key field, or choose it from the menu. Choose Copy.

The resulting copy of the snapshot—and all volumes restored from it—are encrypted by your customer managed CMK.

The following procedure demonstrates how to make a copy of a shared encrypted snapshot to a new CMK that you own. For this to work, you also need access permissions to both the shared encrypted snapshot and to the CMK to which it was originally encrypted.

To copy a shared snapshot to a CMK that you own using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. On the Snapshots page, select the shared encrypted snapshot, then choose Actions, Copy.

  3. In the Copy Snapshot window, supply the complete ARN for a CMK that you own (in the form arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef) in the Master Key field, or choose it from the menu. Choose Copy.

The resulting copy of the snapshot—and all volumes restored from it—are encrypted by the CMK that you supplied. Changes to the original shared snapshot, its encryption status, or the shared CMK have no effect on your copy.

For more information, see Copying an Amazon EBS Snapshot.

Note

You can also apply new encryption states when launching an instance from an EBS-backed AMI. This is because EBS-backed AMIs include snapshots of EBS volumes that can be manipulated as described. For more information about encryption options while launching an instance from an EBS-backed AMI, see Using Encryption with EBS-Backed AMIs.

Migrate Data between Encrypted and Unencrypted Volumes

When you have access to both an encrypted and unencrypted volume, you can freely transfer data between them. EC2 carries out the encryption and decryption operations transparently.

To migrate data between encrypted and unencrypted volumes

  1. Create your destination volume (encrypted or unencrypted, depending on your need) by following the procedures in Creating an Amazon EBS Volume.

  2. Attach the destination volume to the instance that hosts the data that you want to migrate. For more information, see Attaching an Amazon EBS Volume to an Instance.

  3. Make the destination volume available by following the procedures in Making an Amazon EBS Volume Available for Use on Linux. For Linux instances, you can create a mount point at /mnt/destination and mount the destination volume there.

  4. Copy the data from your source directory to the destination volume. It may be most convenient to use a bulk-copy utility for this.

    Linux

    Use the rsync command as follows to copy the data from your source to the destination volume. In this example, the source data is located in /mnt/source and the destination volume is mounted at /mnt/destination.

    [ec2-user ~]$ sudo rsync -avh --progress /mnt/source/ /mnt/destination/

    Windows

    At a command prompt, use the robocopy command to copy the data from your source to the destination volume. In this example, the source data is located in D:\ and the destination volume is mounted at E:\.

    PS C:\> robocopy D:\<sourcefolder> E:\<destinationfolder> /e /copyall /eta

    Note

    We recommend explicitly naming folders rather than copying the entire volume in order to avoid potential problems with hidden folders.

Amazon EBS Encryption and CloudWatch Events

Amazon EBS supports Amazon CloudWatch Events for certain encryption-related scenarios. For more information, see Amazon CloudWatch Events for Amazon EBS.