EBS Encryption

Ref: https://learn.cantrill.io/courses/1820301/lectures/41301330

EBS Encryption - Overview

🔧 At-rest encryption for EBS volumes and snapshots
- Powered by KMS
- Mitigates security risks
Optional
- Default is NO encryption → Data persisted to disk exactly as OS writes it
Recommended to enable it
- 👍 Efficient
- 👍 Incurs no additional cost
- 👍 No performance loss

During volume creation, select option to encrypt it via KMS
1. KMS key can be:
  1. default AWS-managed key (kms/ebs)
  2. customer-managed key
2. KMS key generates an encrypted DEK
  - API call: GenerateDataKeyWithoutPlaintext
3. Encrypted DEK stored with the initially empty volume on the raw disk storage
Encrypted volume can only be read/used with permissions for corresponding KMS key
When using the volume, EBS requests KMS to decrypt the encrypted DEK
1. If request is accepted, KMS replies with plaintext DEK
2. Plaintext DEK is loaded on the memory of the EC2 host (only time the DEK is held unencrypted)
3. DEK used by host to encrypt data written on volume and decrypt data read from volume
  - ❗Plaintext data only in host memory! Volume stores ciphertext data!
  - ‼️ Instance OS isn't aware of any encryption!!
    - It just sees plaintext, because encryption is happening between EC2 host and EBS volume
When EC2 instance stops or moves to another host, host DISCARDS unencrypted DEK
- Only the encrypted DEK and ciphertext data persist in the volume
- If instance loaded on a new host, DEK needs to be unencrypted again and loaded on the memory of the new host

Snapshots made from an encrypted volume are ALSO encrypted, with the same DEK
Snapshot stores the same DEK as original volume