How we can encrypt EBS root volume in AWS?
I am assuming that you have already launched the predefined Amazon Machine Image template, Now Open the EC2 dashboard and navigate the “Elastic Block Store”. Click on the ‘Volumes’ option.
You can check in Description section your volume is not encrypted, As shown in the following screenshot(b) under the red marked area. But make sure you selected the right volume for encryption. For the confirmation, you can identify your volume with Volume ID. It should be like “Volume ID – vol-01a1647b2178ec243” which is attached to your EC2 machine.
I have mentioned the quick steps in order to create Encrypted Root EBS Volume.
- Create a snapshot of the unencrypted root device volume.
- Create a copy of the snapshot and select the encrypted option.
- Create an AMI image from the encrypted snapshot.
- Use this AMI Image to launch a new instance with encrypted root volume.
Create a Snapshot Of Unencrypted Root Device Volume:
Select the volume if there are multiple volumes and goto the “Actions” tab and click on ‘Create Snapshot’. It will take some time to create a Snapshot of your selected EBS root Volume. Please check the below screenshot for more understanding.
Create a Copy of the snapshot and select the encrypted option:
Goto the snapshot dashboard (check my Screenshot (a)). You need to select “snapshots” just below the “Volumes” option. Now it will open the Snapshot dashboard where you need to select the “Actions” tab and click on the “Copy” option.
After clicking on the “Copy” option you will get the popup box where you need to click (choose) Encryption (Encrypt this snapshot), as shown in the screenshot (f).
After selecting the Encryption box you will get the following part where you can also modify the description as I have changed to “Encrypted Snap”.
Now it will take some time to create the new Encrypted snapshot. After the snapshot is created you need to create an AMI image from this Snapshot.
Amazon provides the crypto mechanism to the user in order to encrypt their EBS volumes to protect their sensitive data. There is no need to manage and secure key management infrastructure. When an EBS volume is created and attached to a resource, data stored at rest as well as the snapshots are encrypted. AWS KMS (Key Management Service) is used to perform cryptographic operations on EBS volumes. A default master key is automatically created to perform encryption and decryption when an EBS volume is created for the first time. The user has the provision of using its own CMK (Customer Master Key) which provides extra flexibility while defining access controls and allows users to create, rotate and disable encryption key specific to individual applications and users.
Create AMI image from encrypted snapshot:
Encrypted snapshot is created and now you have to create an AMI image so you can launch a new EC2 machine with encrypted EBS root volume.
After clicking on the “Create Image” option you will get the following popup window, Where you need to give the Image name only and hit the create button.
Use this AMI Image to Launch new instance with Encrypted Root Volume:
Now you can select the image and launch a new ec2 machine.