Sign In to the Console
Amazon Elastic Compute Cloud
User Guide for Linux Instances

AWS Documentation » Amazon EC2 » User Guide for Linux Instances » Storage » Amazon Elastic Block Store (Amazon EBS) » Amazon EBS Encryption

Amazon EBS Encryption

Amazon EBS encryption offers a simple encryption solution for your EBS volumes without the need to build, maintain, and secure your own key management infrastructure. When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted:

  • Data at rest inside the volume

  • All data moving between the volume and the instance

  • All snapshots created from the volume

  • All volumes created from those snapshots

Encryption operations occur on the servers that host EC2 instances, ensuring the security of both data-at-rest and data-in-transit between an instance and its attached EBS storage.

You can encrypt both the boot and data volumes of an EC2 instance.

Encryption is supported by all EBS volume types (General Purpose SSD [gp2], Provisioned IOPS SSD [io1], Throughput Optimized HDD [st1], Cold HDD [sc1], and Magnetic [standard]). You can expect the same IOPS performance on encrypted volumes as on unencrypted volumes, with a minimal effect on latency. You can access encrypted volumes the same way that you access unencrypted volumes. Encryption and decryption are handled transparently and they require no additional action from you or your applications.

Public snapshots of encrypted volumes are not supported, but you can share an encrypted snapshot with specific accounts. For more information about sharing encrypted snapshots, see Sharing an Amazon EBS Snapshot.

Amazon EBS encryption is only available on certain instance types. You can attach both encrypted and unencrypted volumes to a supported instance type. For more information, see Supported Instance Types.

Encryption Key Management

Amazon EBS encryption uses AWS Key Management Service (AWS KMS) customer master keys (CMKs) when creating encrypted volumes and any snapshots created from them. A unique AWS-managed CMK is created for you automatically in each region where you store AWS assets. This key is used for Amazon EBS encryption unless you specify a customer-managed CMK that you created separately using AWS KMS.

Note

Creating your own CMK gives you more flexibility, including the ability to create, rotate, and disable keys to define access controls. For more information, see the AWS Key Management Service Developer Guide.

You cannot change the CMK that is associated with an existing snapshot or encrypted volume. However, you can associate a different CMK during a snapshot copy operation so that the resulting copied snapshot uses the new CMK.

EBS encrypts your volume with a data key using the industry-standard AES-256 algorithm. Your data key is stored on-disk with your encrypted data, but not before EBS encrypts it with your CMK—it never appears there in plaintext. The same data key is shared by snapshots of the volume and any subsequent volumes created from those snapshots.

For more information about key management and key access permissions, see How Amazon Elastic Block Store (Amazon EBS) Uses AWS KMS and Authentication and Access Control for AWS KMS in the AWS Key Management Service Developer Guide.

Supported Instance Types

Amazon EBS encryption is available on the instance types listed below. You can attach both encrypted and unencrypted volumes to these instance types simultaneously.

  • General purpose: A1, M3, M4, M5, M5a, M5ad, M5d, T2, T3, and T3a

  • Compute optimized: C3, C4, C5, C5d, and C5n

  • Memory optimized: cr1.8xlarge, R3, R4, R5, R5d, X1, X1e, and z1d

  • Storage optimized: D2, h1.2xlarge, h1.4xlarge, I2, I3, and I3en

  • Accelerated computing: F1, G2, G3, P2, and P3

  • Bare metal: i3.metal, m5.metal, m5d.metal, r5.metal, r5d.metal, u-6tb1.metal, u-9tb1.metal, u-12tb1.metal, and z1d.metal

For more information about these instance types, see Amazon EC2 Instance Types.

Using Encryption Parameters with EBS Volumes

Customers apply encryption to EBS volumes using two parameters: Encrypted and KmsKeyId. The default effect of setting the Encrypted parameter depends on the source of the volume. Each default case can be overridden by specifying a custom CMK with the KmsKeyId parameter. The following table describes the encryption outcome for each possible combination of settings.

Encryption Outcomes

Is Encrypted parameter set? Source of volume Default (no CMK specified) Custom (CMK specified)
No New (empty) volume Unencrypted N/A
No Unencrypted snapshot that you own Unencrypted
No Encrypted snapshot that you own Encrypted to same key
No Unencrypted snapshot that is shared with you Unencrypted
No Encrypted snapshot that is shared with you Encrypted to default CMK
Yes New volume Encrypted to default CMK Encrypted to specified CMK
Yes Unencrypted snapshot that you own Encrypted to default CMK
Yes Encrypted snapshot that you own Encrypted to same key
Yes Unencrypted snapshot that is shared with you Encrypted to default CMK
Yes Encrypted snapshot that is shared with you Encrypted to default CMK

Creating New Empty Volumes with Encryption

At the time that you create a new, empty EBS volume, you can encrypt it to your default CMK by setting the Encrypted flag. To encrypt the volume to a custom CMK, you must provide a value for KmsKeyId as well. The volume is encrypted from the time it is first available, so your data is always secured. For detailed procedures, see Creating an Amazon EBS Volume.

By default, the same CMK that you selected when creating the volume encrypts the snapshots that you make from it and the volumes that you restore from those snapshots. You cannot remove encryption from an encrypted volume or snapshot, which means that a volume restored from an encrypted snapshot, or a copy of an encrypted snapshot, is always encrypted.

Changing the Encryption State of Your Data

Although there is no direct way to encrypt an existing unencrypted volume, you can encrypt (or re-encrypt) existing data by using either the CreateVolume and CopySnapshot action, both of which support EBS encryption parameters.. Using any CMK you own or have access to, you can apply a new encryption state to existing data as shown in the following scenarios. All of the actions shown can be performed with the EC2 console, AWS CLI, or AWS API. For more information, see Creating an Amazon EBS Volume and Copying an Amazon EBS Snapshot.

The following examples illustrate how these actions and the encryption parameters can be used to manage the encryption of your volumes and snapshots. (For a full list of encryption cases, see the the table above.)

While Restoring a Volume from an Unencrypted Snapshot, Encrypt the Volume

A volume restored from an unencrypted snapshot is unencrypted by default, but you can optionally encrypt the resulting volume by setting the Encrypted flag. The following diagram illustrates the process.

Create an encrypted volume from an unencrypted snapshot

If you leave out the KmsKeyId parameter, the resulting volume is encrypted to your default CMK. You can optionally include a key ID to encrypt the volume to a different CMK.

For more information, see Restoring an Amazon EBS Volume from a Snapshot.

While Restoring a Volume from an Encrypted Snapshot, Encrypt the Volume to a Different CMK

When the CreateVolume action operates on an encrypted snapshot, you have the option of re-encrypting it with a different CMK. The following diagram illustrates the process. You own two CMKs, CMK A and CMK B. The source snapshot is encrypted to CMK A. During volume creation, with the key ID of CMK B supplied as a parameter, the source data is automatically decrypted, then re-encrypted to CMK B.

Copy an encrypted snapshot and encrypt the copy to a new key.

For more information, see Restoring an Amazon EBS Volume from a Snapshot.

While Copying an Unencrypted Snapshot, Encrypt the Copy

You can apply encryption to a snapshot while copying it. The following diagram shows how a copy action takes two parameters, a CMK's key ID and the encryption flag, to encrypt the copy to that CMK.

Create an encrypted snapshot from an unencrypted snapshot.

Note

If you copy a snapshot and encrypt it to a new CMK, a complete (non-incremental) copy is always created, resulting in additional delay and storage costs.

To encrypt a volume's data by means of snapshot copying

  1. Copy the snapshot while applying encryption parameters. If you leave out the KmsKeyId parameter, the resulting snapshot is encrypted to your default CMK. You can optionally include a key ID to encrypt the snapshot to a different CMK.

  2. Restore the encrypted snapshot to a new volume, which is also encrypted.

For more information, see Copying an Amazon EBS Snapshot.

While Copying an Encrypted Snapshot, Encrypt the Copy to a Different CMK

The ability to encrypt a snapshot during copying allows you to apply a new CMK to an already-encrypted snapshot that you own. Volumes restored from the resulting copy are only accessible using the new CMK. The following diagram illustrates the process. You own two CMKs, CMK A and CMK B. The source snapshot is encrypted to CMK A. During copy, with the key ID of CMK B supplied as a parameter, the source data is automatically re-encrypted to CMK B.

Copy an encrypted snapshot and encrypt the copy to a new key.

Note

If you copy a snapshot and encrypt it to a new CMK, a complete (non-incremental) copy is always created, resulting in additional delay and storage costs.

In a related scenario, you may choose to apply new encryption parameters to a copy of a snapshot that has been shared with you. By default, the copy is encrypted with a CMK shared by the snapshot's owner. However, we recommend that you create a copy of the shared snapshot using a different CMK that you control. This protects your access to the volume if the original CMK is compromised, or if the owner revokes the CMK for any reason.

The following procedure demonstrates how to create a copy of a shared snapshot to a customer-managed CMK that you own.

To copy a snapshot that you own to a new custom CMK using the console

  1. Create a customer-managed CMK. For more information, see AWS Key Management Service Developer Guide.

  2. Create an EBS volume encrypted to (for this example) your AWS-managed CMK.

  3. Create a snapshot of your encrypted EBS volume. This snapshot is also encrypted to your AWS-managed CMK.

  4. On the Snapshots page, choose Actions, Copy.

  5. In the Copy Snapshot window, supply the complete ARN for your customer-managed CMK (in the form arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef) in the Master Key field, or choose it from the menu. Choose Copy.

The resulting copy of the snapshot—and all volumes restored from it—are encrypted to your customer-managed CMK.

The following procedure demonstrates how to make a copy of a shared encrypted snapshot to a new CMK that you own. For this to work, you also need access permissions to both the shared encrypted snapshot and to the CMK to which it was originally encrypted.

To copy a shared snapshot to a CMK that you own using the console

  1. Select the shared encrypted snapshot on the Snapshots page and choose Actions, Copy.

  2. In the Copy Snapshot window, supply the complete ARN for a CMK that you own (in the form arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef) in the Master Key field, or choose it from the menu. Choose Copy.

The resulting copy of the snapshot—and all volumes restored from it—are encrypted to the CMK that you supplied. Changes to the original shared snapshot, its encryption status, or the shared CMK have no effect on your copy.

For more information, see Copying an Amazon EBS Snapshot.

Note

You can also apply new encryption states when launching an instance from an EBS-backed AMI. This is because EBS-backed AMIs include snapshots of EBS volumes that can be manipulated as described. For more information about encryption options while launching an instance from an EBS-backed AMI, see AMIs with Encrypted Snapshots.

Amazon EBS Encryption and CloudWatch Events

Amazon EBS supports Amazon CloudWatch Events for certain encryption-related scenarios. For more information, see Amazon CloudWatch Events for Amazon EBS.