Skip to content

EBS Volume Encryption

Volume Encryption

  • When you create an encrypted EBS Volume, you get the following:
    • Data at rest is encrypted inside the volume
    • All the data in flight moving between the instance and volume is encrypted
    • All snapshots are encrypted
  • Encryption and decryption are handled transparently (you have nothing to do)
  • Encryption has a minimal impact on latency
  • EBS Encryption leverages keys from AWS KMS (Key Management Service) ([[AES-256]])
  • Copying an unencrypted snapshot allows encryption
  • Snapshots of encrypted volumes are encrypted

Encrypt an unencrypted EBS volume

  • Create an EBS Snapshot of the volume
  • Encrypt the EBS snapshot (using copy)
  • Create a new EBS volume from the snapshot (the volume will also be encrypted) Now you can attach the encrypted volume to the original instance.