In this chapter, we are going to encrypt EBS volume using customer-managed KMS keys. To protect your data from unwanted things or attacks volume encryption provides an extra layer to encrypt and decrypt your data. So we are here to guide you on how to encrypt the EBS volume of running EC2 Instances.

Introduction

Elastic Block Storage is an AWS cloud-based block storage system for storing persistent data. It enables you to keep data persistently on a file system, even after you shut down your EC2 instance accidentally or by any chance. Volume Encryption is needed to secure your data from outside the world. KMS is a service provided by AWS cloud to create customer-managed keys using which we can encrypt and decrypt the EBS volume containing your crucial data.

Prerequisites

We required given prerequisites to proceed further:

LIST

  • AWS account access.
  • EC2 Instance running with attached EBS volume.

Contents

  • Step 1 — Login to AWS Account
  • Step 2 — Create customer managed KMS keys
  • Step 3 — Stop your EC2 Instance
  • Step 4 — Create an EBS Snapshot
  • Step 5 — Create new EBS volume from the snapshot
  • Step 6 — Detached the original EBS Volume
  • Step 7 — Start your EC2 instance

Step 1 — Login to AWS Account

To go further first log in to your AWS account and check you have access to EC2 and KMS service.

Step 2 — Create customer managed KMS keys

You will have to create customer-managed KMS keys for volume encryption using KMS . Below is the image for your reference:

  • Create customer managed KMS keys using KMS service.


Step 3 — Stop your EC2 Instance

Stop your EC2 instance for attaching encrypted EBS volume. Making sure you have EC2 full access to perform this operations.

Step 4 — Create an EBS Snapshot

Create an EBS snapshot of the volume you want to encrypt. Select the volume that you want to encrypt then click on the action and create an EBS snapshot.

  • Create EBS snapshot of the volume.


Step 5 — Create new EBS volume from the snapshot

Next Create new EBS volume from the snapshot you have created recently and there you will get an option to enable encryption and select your KMS key you have created for encryption. Create volume using EBS snapshot while creating volume enable encryption and attached KMS key.

  • Encrypt volume using KMS keys


Step 6 — Detached the original EBS Volume

Now, Detached the original EBS volume and attached your newly created EBS volume with KMS encrypted to EC2 instance make sure to match the device name (/dev/xvda1, etc.).

Step 7 — Start your EC2 instance

You can start your EBS instance now with customer-managed KMS encrypted EBS volume.

Conclusion

Hopefully, now you have applied the customer-managed keys KMS encryption to your EC2 attached EBS volume. Now, your volume is encrypted and you have added an extra layer of security for your data.