Encryption of AWS EBS root Volumes
This Blog has moved from Medium to blogs.tensult.com. All the latest content will be available there. Subscribe to our newsletter to stay updated.
This was interesting. One of my customers wanted to know whether root volume can be encrypted or not in AWS. The MNC wanted encryption at rest. Though I was sure that this could be done, I had not done it myself before. I started referring to different documentations, found that many had implemented it. But the question was how will I test the encryption !!! I was in an impression that once it is encrypted, I cannot mount the encrypted volume in another AWS instance. But, I could do it, meaning reality is different. Let’s walk though my experiment and see how I tested it.
Let us see some facts about AWS EBS volume encryption,
- root volume cannot be selected for encryption during instance launch.
- non-root volume can be encrypted during launch or after launch.
- root volume cannot be encrypted after the launch of an instance without creating a snapshot of it.
Steps to Encrypt the EBS root Volume
- Create IAM KMS encryption key
- Create snapshot of the root volume
- Copy a snapshot which enables the encrypting option
- Create a new Encrypted volume from an encrypted snapshot
- Detach the existing volume and replace it with the Encrypted volume
- .. And now you are ready for testing.
Create IAM KMS encryption key
Access your IAM Console and create Encryption Key for your AWS Region, by selecting the default options in IAM console. It looks like below in the JSON format, ( Type your account number instead of “123456789” )
Create snapshot of the root volume
1) Launch the instance from your AWS console. Let me call it as “Source”
2) Click the root volume of the instance and create a snapshot say, snap-non-enc. As the name indicates it is not an encrypted one.
3) Click the snapshot “snap-non-enc” and create a copy of it. Let us name it as, snap-enc. Make sure that “Encrypt this snapshot” is selected during the process. Against the Master Key enter the ARN value of the encryption key test key-1.
4) Now you compare both the snapshots like below.
Create a new Encrypted volume from the encrypted snapshot
Select the encrypted snapshot snap-enc and create volume out of it. Let us call it “DestVolume”.
Detach the existing volume and attach the Encrypted Volume
1) Click the original “Source” Volume and note down the “Attachment Information” looks like /dev/xvda. The same should be used while attaching encrypted “DestVolume”
2) Stop the instance “Source” and detach the ”Source” volume.
3) Now attach the encrypted “DestVolume” to an instance.
4) Now start the instance. It boots and this is the end of the setup.
Testing the Encryption.
This is to be noted that encrypted volume can be mounted to a different instance as long as the same encryption key is available with IAM. So I have tested in such a way that I mounted both encrypted and non-encrypted volumes to another instance. Consequently, I disabled the encryption key and repeated the process. I was able to mount only non-encrypted volume this time.
1) Create another instance, say “test-instance”.
2) Shutdown the instance “Source”
3) Detach encrypted “DestVolume” from the instance “Source”. Leaving behind two unused volumes. “Source” which is not encrypted and “DestVolume” which is encrypted.
4) Now attach both volumes on to the “test-instance” and it works fine.
5) Now unmount the volume from the instance and detach both the volumes.
6) Disable the Encryption key test-key1 this time.
7) Now you repeat step 4. Are you able to mount both volumes? No. You can mount only non-encrypted Volume. See the error message below.
Conclusion:
Encryption at rest is an important part of setting up confidentiality. We have seen how a root EBS volume can be encrypted by creating a snapshot and how to create an encrypted volume out of it. We have also tested the encryption status by disabling the encryption key.
