New EBS Encryption for Additional Data Protection

We take data protection very seriously! Over the years we have added a
number of security and encryption features to various parts of AWS.
We protect data at rest with

Side Encryption for Amazon S3 and Amazon Glacier
multiple tiers of encryption for Amazon Redshift,
and Transparent Data Encryption for
Oracle and
databases via
Amazon RDS.
We protect data in motion with extensive support for SSL/TLS in

Amazon RDS,
and Elastic Load Balancing.

Today we are giving you yet another option, with support for encryption of
data volumes and the associated snapshots. You can now
encrypt data stored on an EBS volume at rest and in motion by setting a
single option.

When you create an encrypted EBS volume and attach it to a supported
instance type, data on the volume, disk I/O, and snapshots
created from the volume are all encrypted. The encryption occurs on
the servers that host the EC2 instances, providing encryption of
data as it moves between EC2 instances and EBS storage.

Enabling Encryption

You can enable EBS encryption when you create a new volume:

You can see the encryption state of each of your volumes from the


Adding encryption to a provisioned IOPS (PIOPS) volume will not
affect the provisioned performance. Encryption has a minimal effect
on I/O latency.

The snapshots that you take of an encrypted EBS
volume are also encrypted and can be moved between AWS Regions
as needed. You cannot share encrypted snapshots with other AWS
accounts and you cannot make them public.

As I mentioned earlier, your data is encrypted before it leaves the
EC2 instance. In order to be able to do this efficiently and with low
latency, the EBS encryption feature is only available on EC2’s M3, C3, R3,
CR1, G2, and I2 instances. You cannot attach an encrypted EBS volume
to other instance types.

Also, you cannot enable encryption for an existing EBS volume. Instead,
you must create a new, encrypted volume and copy the data from the
old one to the new one using the file manipulation tool of your
Rsync (Linux) and
Robocopy (Windows) are two
good options, but there are many others.

Each newly created volume gets a unique 256-bit AES key; volumes
created from encrypted snapshots share the key. You do not need to
manage the encryption keys because they are protected by our own key
management infrastructure, which implements strong logical and
physical security controls to prevent unauthorized access. Your data
and associated keys are encrypted using the industry-standard
AES-256 algorithm.

Encrypt Now

EBS encryption is available now in all eight of the commercial AWS Regions and you can start using it today! There is no charge for encryption
and it does not affect the published EBS Service Level Agreement (SLA) for availability.


Related posts