paint-brush
How to encrypt EBS volumes of a running EC2 instance?by@IshwarChandra
28,766 reads
28,766 reads

How to encrypt EBS volumes of a running EC2 instance?

by Ishwar ChandraJune 26th, 2018
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow
EN

Too Long; Didn't Read

Nowadays encryption of data at rest is must, specially if it’s stored somewhere in public cloud. It’s necessary to meet various compliance requirements like PCI DSS.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - How to encrypt EBS volumes of a running EC2 instance?
Ishwar Chandra HackerNoon profile picture

Nowadays encryption of data at rest is must, specially if it’s stored somewhere in public cloud. It’s necessary to meet various compliance requirements like PCI DSS.

We will use AWS KMS for encryption of EBS Volumes. AWS has default key for EBS volume encryption- aws/ebs, you can use this or create your own.

Create KMS Key:

Login to AWS Account and goto IAM, Encryption keys, select region you want to use key in and create key.

AWS IAM KMS Console





You will need to provide:-Alias Name (required), -Tag (optional), -IAM user who has Administrative Privilege over this particular key, -IAM users and roles that can use this key to encrypt and decrypt data from within applications and when using AWS services integrated with KMS.







Now we have key ready to use for encryption, use below steps to complete the task: 1. Stop your EC2 instance. 2. Create an EBS snapshot of the volume you want to encrypt. 3. Copy the EBS snapshot, encrypting the copy in the process using key created above. 4. Create a new EBS volume from your new encrypted EBS snapshot. The new EBS volume will be encrypted. 5. Detach the original EBS volume and attach your new encrypted EBS volume, making sure to match the device name (/dev/xvda1, etc.)6. Start the EC2 instance.

Now you have EC2 instance with Encrypted EBS Volumes. Please note that do not delete the KMS key in use. Deleting a key makes all data encrypted under that key unrecoverable.

That’s all. Thanks for reading :) Happy Cloud Computing!