Encryption is an important part of any data protection strategy, and because of that today we are showing how encryption for EBS boot volumes works.
This will aid your security, compliance, and auditing efforts by allowing you to verify that all of the data that you store on EBS is encrypted. Further, because this feature makes use of KMS, you can track and audit all uses of the encryption keys.
Creating an Encrypted EBS Boot Volume
First of all you need to create the key you will use to encrypt the boot volume. This is done in IAM:
Note that the key must be created in the same region where you want to encrypt the boot volume.
For our example, we will encrypt the boot volume from an AWS Marketplace AMI, which in our case will be a Debian 8.4. The AMI ID is necessary and can be obtained in the wiki from Debian.
If you want to encrypt an existing system, you will need to create an AMI from that system.
Once you have the AMI ID, the last step will be to copy the image and provide the encryption key:
Using an Encrypted EBS Boot Volume
After you create your new AMI, you can use it to launch new instances as usual. You don’t need to make any other changes to your code or your operational practices.