Amazon EBS encryption - Amazon EBS
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon EBS encryption

Use Amazon EBS encryption as a straight-forward encryption solution for your EBS resources associated with your EC2 instances. With Amazon EBS encryption, you aren't required to build, maintain, and secure your own key management infrastructure. Amazon EBS encryption uses Amazon KMS keys when creating encrypted volumes and snapshots.

Encryption operations occur on the servers that host EC2 instances, ensuring the security of both data-at-rest and data-in-transit between an instance and its attached EBS storage.

You can attach both encrypted and unencrypted volumes to an instance simultaneously.

How EBS encryption works

You can encrypt both the boot and data volumes of an EC2 instance.

When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted:

  • Data at rest inside the volume

  • All data moving between the volume and the instance

  • All snapshots created from the volume

  • All volumes created from those snapshots

Amazon EBS encrypts your volume with a data key using industry-standard AES-256 data encryption. The data key is generated by Amazon KMS and then encrypted by Amazon KMS with your Amazon KMS key prior to being stored with your volume information. All snapshots, and any subsequent volumes created from those snapshots using the same Amazon KMS key share the same data key. For more information, see Data keys in the Amazon Key Management Service Developer Guide.

Amazon EC2 works with Amazon KMS to encrypt and decrypt your EBS volumes in slightly different ways depending on whether the snapshot from which you create an encrypted volume is encrypted or unencrypted.

How EBS encryption works when the snapshot is encrypted

When you create an encrypted volume from an encrypted snapshot that you own, Amazon EC2 works with Amazon KMS to encrypt and decrypt your EBS volumes as follows:

  1. Amazon EC2 sends a GenerateDataKeyWithoutPlaintext request to Amazon KMS, specifying the KMS key that you chose for volume encryption.

  2. If the volume is encrypted using the same KMS key as the snapshot, Amazon KMS uses the same data key as the snapshot and encrypts it under that same KMS key. If the volume is encrypted using a different KMS key, Amazon KMS generates a new data key and encrypts it under the KMS key that you specified. The encrypted data key is sent to Amazon EBS to be stored with the volume metadata.

  3. When you attach the encrypted volume to an instance, Amazon EC2 sends a CreateGrant request to Amazon KMS so that it can decrypt the data key.

  4. Amazon KMS decrypts the encrypted data key and sends the decrypted data key to Amazon EC2.

  5. Amazon EC2 uses the plaintext data key in the Nitro hardware to encrypt disk I/O to the volume. The plaintext data key persists in memory as long as the volume is attached to the instance.

How EBS encryption works when the snapshot is unencrypted

When you create an encrypted volume from unencrypted snapshot, Amazon EC2 works with Amazon KMS to encrypt and decrypt your EBS volumes as follows:

  1. Amazon EC2 sends a CreateGrant request to Amazon KMS, so that it can encrypt the volume that is created from the snapshot.

  2. Amazon EC2 sends a GenerateDataKeyWithoutPlaintext request to Amazon KMS, specifying the KMS key that you chose for volume encryption.

  3. Amazon KMS generates a new data key, encrypts it under the KMS key that you chose for volume encryption, and sends the encrypted data key to Amazon EBS to be stored with the volume metadata.

  4. Amazon EC2 sends a Decrypt request to Amazon KMS to get the encryption key to encrypt the volume data.

  5. When you attach the encrypted volume to an instance, Amazon EC2 sends a CreateGrant request to Amazon KMS, so that it can decrypt the data key.

  6. When you attach the encrypted volume to an instance, Amazon EC2 sends a Decrypt request to Amazon KMS, specifying the encrypted data key.

  7. Amazon KMS decrypts the encrypted data key and sends the decrypted data key to Amazon EC2.

  8. Amazon EC2 uses the plaintext data key in the Nitro hardware to encrypt disk I/O to the volume. The plaintext data key persists in memory as long as the volume is attached to the instance.

For more information, see How Amazon Elastic Block Store (Amazon EBS) uses Amazon KMS and Amazon EC2 example two in the Amazon Key Management Service Developer Guide.

How unusable KMS keys affect data keys

When a KMS key becomes unusable, the effect is almost immediate (subject to eventual consistency). The key state of the KMS key changes to reflect its new condition, and all requests to use the KMS key in cryptographic operations fail.

When you perform an action that makes the KMS key unusable, there is no immediate effect on the EC2 instance or the attached EBS volumes. Amazon EC2 uses the data key, not the KMS key, to encrypt all disk I/O while the volume is attached to the instance.

However, when the encrypted EBS volume is detached from the EC2 instance, Amazon EBS removes the data key from the Nitro hardware. The next time the encrypted EBS volume is attached to an EC2 instance, the attachment fails, because Amazon EBS cannot use the KMS key to decrypt the volume's encrypted data key. To use the EBS volume again, you must make the KMS key usable again.

Tip

If you no longer want access to data stored in an EBS volume encrypted with a data key generated from a KMS key that you intend to make unusable, we recommend that you detach the EBS volume from the EC2 instance before you make the KMS key unusable.

For more information, see How unusable KMS keys affect data keys in the Amazon Key Management Service Developer Guide.

Encrypt EBS resources

You encrypt EBS volumes by enabling encryption, either using encryption by default or by enabling encryption when you create a volume that you want to encrypt.

When you encrypt a volume, you can specify the symmetric encryption KMS key to use to encrypt the volume. If you do not specify a KMS key, the KMS key that is used for encryption depends on the encryption state of the source snapshot and its ownership. For more information, see the encryption outcomes table.

Note

If you are using the API or Amazon CLI to specify a KMS key, be aware that Amazon authenticates the KMS key asynchronously. If you specify a KMS key ID, an alias, or an ARN that is not valid, the action can appear to complete, but it eventually fails.

You cannot change the KMS key that is associated with an existing snapshot or volume. However, you can associate a different KMS key during a snapshot copy operation so that the resulting copied snapshot is encrypted by the new KMS key.

Encrypt an empty volume on creation

When you create a new, empty EBS volume, you can encrypt it by enabling encryption for the specific volume creation operation. If you enabled EBS encryption by default, the volume is automatically encrypted using your default KMS key for EBS encryption. Alternatively, you can specify a different symmetric encryption KMS key for the specific volume creation operation. The volume is encrypted by the time it is first available, so your data is always secured. For detailed procedures, see Create an Amazon EBS volume.

By default, the KMS key that you selected when creating a volume encrypts the snapshots that you make from the volume and the volumes that you restore from those encrypted snapshots. You cannot remove encryption from an encrypted volume or snapshot, which means that a volume restored from an encrypted snapshot, or a copy of an encrypted snapshot, is always encrypted.

Public snapshots of encrypted volumes are not supported, but you can share an encrypted snapshot with specific accounts. For detailed directions, see Share an Amazon EBS snapshot.

Encrypt unencrypted resources

You cannot directly encrypt existing unencrypted volumes or snapshots. However, you can create encrypted volumes or snapshots from unencrypted volumes or snapshots. If you enable encryption by default, Amazon EBS automatically encrypts new volumes and snapshots using your default KMS key for EBS encryption. Otherwise, you can enable encryption when you create an individual volume or snapshot, using either the default KMS key for Amazon EBS encryption or a symmetric customer managed encryption key. For more information, see Create an Amazon EBS volume and Copy an Amazon EBS snapshot.

To encrypt the snapshot copy to a customer managed key, you must both enable encryption and specify the KMS key, as shown in Copy an unencrypted snapshot (encryption by default not enabled).

Important

Amazon EBS does not support asymmetric encryption KMS keys. For more information, see Using Symmetric and Asymmetric encryption KMS keys in the Amazon Key Management Service Developer Guide.

You can also apply new encryption states when launching an instance from an EBS-backed AMI. This is because EBS-backed AMIs include snapshots of EBS volumes that can be encrypted as described. For more information, see Use encryption with EBS-backed AMIs.

Rotating Amazon KMS keys

Cryptographic best practices discourage extensive reuse of encryption keys. To create new cryptographic material for your KMS key, you can create new KMS key, and then change your applications or aliases to use the new KMS key. Or, you can enable automatic key rotation for an existing KMS key.

When you enable automatic key rotation for a KMS key, Amazon KMS generates new cryptographic material for the KMS key every year. Amazon KMS saves all previous versions of the cryptographic material so you can decrypt any data encrypted with that KMS key. Amazon KMS does not delete any rotated key material until you delete the KMS key.

When you use a rotated KMS key to encrypt data, Amazon KMS uses the current key material. When you use the rotated KMS key to decrypt data, Amazon KMS uses the version of the key material that was used to encrypt it. You can safely use a rotated KMS key in applications and Amazon services without code changes.

Note

Automatic key rotation is supported only for symmetric customer managed keys with key material that Amazon KMS creates. Amazon KMS automatically rotates Amazon managed keys every year. You can't enable or disable key rotation for Amazon managed keys.

For more information, see Rotating KMS key in the Amazon Key Management Service Developer Guide.