Ref: https://learn.cantrill.io/courses/1820301/lectures/41301330

• Summary
• Contents:

EBS Encryption - Overview

• 🔧 At-rest encryption for EBS volumes and snapshots
  • Powered by KMS
  • Mitigates security risks
• Optional
  • Default is NO encryption → Data persisted to disk exactly as OS writes it
• Recommended to enable it
  • 👍 Efficient
  • 👍 Incurs no additional cost
  • 👍 No performance loss

EBS Volume Encryption

• During volume creation, select option to encrypt it via KMS
  1. KMS key can be:
     1. default AWS-managed key (kms/ebs)
     2. customer-managed key
  2. KMS key generates an encrypted DEK
     • API call: GenerateDataKeyWithoutPlaintext
  3. Encrypted DEK stored with the initially empty volume on the raw disk storage
• Encrypted volume can only be read/used with permissions for corresponding KMS key
• When using the volume, EBS requests KMS to decrypt the encrypted DEK
  1. If request is accepted, KMS replies with plaintext DEK
  2. Plaintext DEK is loaded on the memory of the EC2 host (only time the DEK is held unencrypted)
  3. DEK used by host to encrypt data written on volume and decrypt data read from volume
     • ❗Plaintext data only in host memory! Volume stores ciphertext data!
     • ‼️ Instance OS isn't aware of any encryption!!
       • It just sees plaintext, because encryption is happening between EC2 host and EBS volume
• When EC2 instance stops or moves to another host, host DISCARDS unencrypted DEK
  • Only the encrypted DEK and ciphertext data persist in the volume
  • If instance loaded on a new host, DEK needs to be unencrypted again and loaded on the memory of the new host

EBS Snapshot Encryption

• Snapshots made from an encrypted volume are ALSO encrypted, with the same DEK
• Snapshot stores the same DEK as original volume