Encrypted Root device Volumes in AWS

Encryption is an important part of any data protection strategy. Encryption operations occur on the servers that host EC2 instances, ensuring the security of both data-at-rest and data-in-transit between an instance and its attached EBS storage.

You can encrypt your volume either at the time of launching your EC2 instance or after the instance is launched.


1. Encryption While launching EC2 instance:

While creating your instance  add Encryption in the following step:

Step 4 : Storage

Add Storage : Extra or new volume can also be added to instance.

Now comes the important thing, look at the Encryption, by default it is not encrypted. Use default AWS key to encrypt your root volume.

Follow rest of the steps as you did before and launch the instance.

When the Instance state is running, click Volumes under ELASTIC BLOCK STORE section.

Select the Volume, in the Description you can see Encryption: Encrypted. Hence the volume has been encrypted while launching EC2 instance.

2. Encryption After launching EC2 instance:

Launch the instance in the same way as you have done above, except the 4th step in storage settings, leave encryption as default that is unencrypted.

Name your instances so that you don’t get confused.

Both the instances are running, click Volumes under the ELASTIC BLOCK STORE section.

Name your volumes as volume1 and volume2 to avoid confusion. Select Volume2 , in the Description you can see Encryption: Not Encrypted.

To encrypt volume after launching the instance, follow the steps:

Create Snapshot of the volume :

To learn creating Snapshot click here.

  • Select the Volume2, click Actions, click Create Snapshot.

  • Fill the description about your snapshot, you can also add tags and create snapshot.

Copy Snapshot:

  • Click Snapshots under the ELASTIC BLOCK STORE section, select your snapshot, click Actions and then click Copy.

  • Now comes the most important thing, when copying snapshot enable encryption.

  • Snapshot has been created and you can give it some name like copy_snap.

Create AMI using encrypted snapshot :

  •  Select snapshot you copied : copy_snap, click Actions and then click Create image.

  • Fill the sections of Name and Description, you can add Kernel ID, RAM disk ID and add new volume to the image. For now leave it as default and click Create.

  • Check the image created in AMIs under Images section.

The image you created can be used to create new EC2 instance with encrypted root volume. Select image and then click launch.

Things to remember:

When you launch EC2 instance using encrypted AMI you cannot change encrypted to unencrypted.

Snapshots can be shared with other AWS account or made public only if they are unencrypted.