In this chapter, we are going to encrypt EBS volume using customer-managed KMS keys. To protect your data from unwanted things or attacks volume encryption provides an extra layer to encrypt and decrypt your data. So we are here to guide you on how to encrypt the EBS volume of running EC2 Instances.
Elastic Block Storage is an AWS cloud-based block storage system for storing persistent data. It enables you to keep data persistently on a file system, even after you shut down your EC2 instance accidentally or by any chance. Volume Encryption is needed to secure your data from outside the world. KMS is a service provided by AWS cloud to create customer-managed keys using which we can encrypt and decrypt the EBS volume containing your crucial data.
We required given prerequisites to proceed further:
- AWS Account Access
- EC2 Instance running with attached EBS volume.
Step 1 – Create customer managed KMS keys
Login to AWS Account to go further first log in to your AWS account and check you have access to EC2 and KMS service.
You will have to create customer-managed KMS keys for volume encryption using KMS . Below is the image for your reference:
Step 2 – Create an EBS snapshot.
Before proceeding to further stop your EC2 instance for attaching encrypted EBS volume. Making sure you have EC2 full access to perform this operations.
Create an EBS snapshot of the volume you want to encrypt. Select the volume that you want to encrypt then click on the action and create an EBS snapshot.
Step 3 – Create new EBS volume from the snapshot
Next Create new EBS volume from the snapshot you have created recently and there you will get an option to enable encryption and select your KMS key you have created for encryption. Create volume using EBS snapshot while creating volume enable encryption and attached KMS key.
Now, Detached the original EBS volume and attached your newly created EBS volume with KMS encrypted to EC2 instance make sure to match the device name (/dev/xvda1, etc.).
Once done, you can start your EBS instance now with customer-managed KMS encrypted EBS volume.
Hopefully, now you have applied the customer-managed keys KMS encryption to your EC2 attached EBS volume. Now, your volume is encrypted and you have added an extra layer of security for your data.