EBS Volumes—Why Should They Be Encrypted?

EBS volumes contain your data. While not all data can be classified as meaningful information, it is always useful. The question is, who will your data serve—you or a threat actor? If you want your data protected, keep it encrypted. Read on to learn more.

What Is EBS?

Elastic Block Store (EBS) is an on-demand block storage service offered by Amazon Web Services (AWS). ASW is responsible for the infrastructure of the service, and EBS customers gain access to a variety of block storage management controls.

EBS is ideal for the storage of large volumes of data, especially instances from Amazon’s Elastic Compute Cloud (EC2). EBS supports structured and unstructured data, which can be transferred and streamed from containers, applications, file systems, and big data engines.

What Is an EBS Volume?

In EBS, data volumes are stored in blocks. A block works like a storage unit—it has unique storage capabilities, including a certain level of read-write capacity, with a uniquely measured speed, and individual bandwidth and latency metrics that affect its performance. That means that you can set a unique behavior to each EBS volume block. To learn about some of the lesser-known functions of EBS volumes, see this blog.

On AWS’s side, there’s a server-based operating systems that orchestrates the entire operation. As a built-in backup default, the system replicates volumes into Availability Zone (AZ). EBS customers can change this through the use of the AWS platform, which provided features for optimizing the costs and performance of EBS volumes.

EBS Volume Types

Amazon EBS classifies volume types into two distinct categories of memory usage:

• Solid State Drives (SSD) Storage—for persistent data storage. EBS customers can choose between the default EBS General Purpose SSD (GP2), which balances performance costs, and EBS Provisioned IOPS SSD (IO1), which provides the highest level of speed. That makes IO1 the most expensive volume type.
• Hard Disk Drives (HDD) Storage—for a high level of throughput. EBS customers can choose between Throughput Optimized HDD (ST1), which provides a cost-effective storage module for throughput-intensive workloads, and Cold HDD (SC1), which provides a low-cost storage module for infrequently accessed workloads.

Why You Should Encrypt EBS Volumes

1. Security
Encryption is a security mechanism that converts plaintext (readable data) into ciphertext (unreadable encoding). Once plaintext data is encrypted, only a decryption key or a password can render it readable. That means that if a threat actor gains access to the data, they will need to steal or guess decryption keys. Otherwise, they won’t be able to read the data.

2. Convenience
EBS offers built-in encryption for EBS data volumes, EBS boot volumes and EBS snapshots. The encryption process occurs automatically, and you don’t need to manage encryption keys. This mechanism will protect your EBS volumes at rest, and data in transit that passes between EC2 servers. This encryption level is offered at no additional cost.

How Encryption Works in EBS

There are two levels of encryption in EBS—the free built-in encryption, and the AWS KMS (Key Management Service) which has free and paid tiers. As explained above, the built-in encryption is an automatic process that doesn’t require any effort on your part. However, the built-in encryption doesn’t include keys management. You can do that by using AWS KMS.

AWS KMS provides features for controlling the cryptographic operations run on EBS volumes. In simple words, KMS provides the infrastructure needed to manage encryption keys. Through the use of Customer Master Keys (CMKs), EBS customers can customize and controls keys according to the unique needs of applications and the access control of its users.

AWS KMS offers three different types of Customer Master Keys (CMKs):

• Customer-Managed CMKs—created and managed by KMS customers. You have full control over the amount, usage, and the subsequent pricing of the keys.
• AWS-Managed CMKs—created and managed by AWS. You can view the keys, but can’t manage them. These are created automatically in EBS when you create a volume.
• AWS-Owned CMKs—owned and managed by AWS. These keys aren’t subjected to pricing costs and usage limitation.

How to Encrypt an EBS Volume

The most common method of encrypting an EBS volume is creating a new EBS volume. Here’s how you can do that:

1. Go to the ‘Amazon EC2 Management Console’, click on ‘Volumes’, and then choose ‘Create Volume’.
2. Fill in the information of your volume, including type, size, and Availability Zone (AZ).
3. Select the ‘Encryption’ box which says ‘Encrypt this volume’. This will open up a box with a display of available CMKs.
4. Select the AWS-managed CMK, which may be listed as ‘(default) aws/ebs’. This will display the default KMS features for encryption.
5. Create your volume.

Once a volume is created, you won’t be able to change its encryption settings. If that happens, and you want to encrypt an existing encrypted EBS volume, you’ll first need to create an EBS snapshot and then turn it into an EBS volume. Here’s how to do that:

1. Locate and then select the unencrypted volume
2. Click on ‘Actions’, and then choose ‘Copy’.
3. Wait until the system finished creating your snapshot.
4. Go to ‘Elastic Block Store’, and choose ‘Snapshots’.
5. Locate your ned snapshot and select it.
6. Click on ‘Actions’, and then choose ‘Copy’.
7. Select the ‘Encryption’ box which says ‘Encrypt this snapshot’. This will open up a box with a display of available CMKs.
8. Choose the CMK of your preference (or use the default). This will display the details of your encryption key.
9. When ready, click ‘Copy’. This will create your snapshot, so be sure you like the configuration before clicking.
10. From the ‘Snapshot’ page, select your new snapshot.
11. Click on ‘Actions’, and then choose ‘Create Volume’.
12. Your volume’s ‘Encryption’ settings will be set to ‘True’. That means the volume’s encryption will be identical to that of the snapshot. You will not be able to change this.

It’s a Wrap!

Encryption protects your data. You can use the built-in (and free) EBS encryption feature. If you want an organized keys management system, use KVM. It has a free tier, and when you reach high volumes you won’t regret setting it up. It’ll save you from drowning under mismanaged keys. Encryption in EBS is easy and simple and well worth the few clicks you’ll need to set it up.