Note: By default, an instance type that includes an NVMe instance store encrypts data at rest using an XTS-AES-256 block cipher. See this FAQ about NVMe-supported instance types. If youre using an NVMw instance type, then data at rest is encrypted by default, and this post doesnt apply to your situation.
Encrypting data at rest is vital for regulatory compliance to ensure that sensitive data saved on disks is not readable by any user or application without a valid key. Some compliance regulations such as PCI DSS and HIPAA require that data at rest be encrypted throughout the data lifecycle. To this end, AWS provides data-at-rest options and key management to support the encryption process. For example, you can encrypt Amazon EBS volumes and configure Amazon S3 buckets for server-side encryption (SSE) using AES-256 encryption. Additionally, Amazon RDS supports Transparent Data Encryption (TDE).
Instance storage provides temporary block-level storage for Amazon EC2 instances. This storage is located on disks attached physically to a host computer. Instance storage is ideal for temporary storage of information that frequently changes, such as buffers, caches, and scratch data. By default, files stored on these disks are not encrypted.
In this blog post, I show a method for encrypting data on Linux EC2 instance stores by using Linux built-in libraries. This method encrypts files transparently, which protects confidential data. As a result, applications that process the data are unaware of the disk-level encryption.
First, though, I will provide some background information required for this solution.
You can use two methods to encrypt files on instance stores. The first method is disk encryption, in which the entire disk or block within the disk is encrypted by using one or more encryption keys. Disk encryption operates below the file-system level, is operating-system agnostic, and hides directory and file information such as name and size. Encrypting File System, for example, is a Microsoft extension to the Windows NT operating systems New Technology File System (NTFS) that provides disk encryption.
The second method is file-system-level encryption. Files and directories are encrypted, but not the entire disk or partition. File-system-level encryption operates on top of the file system and is portable across operating systems.
Dm-crypt is a Linux kernel-level encryption mechanism that allows users to mount an encrypted file system. Mounting a file system is the process in which a file system is attached to a directory (mount point), making it available to the operating system. After mounting, all files in the file system are available to applications without any additional interaction; however, these files are encrypted when stored on disk.
Device mapper is an infrastructure in the Linux 2.6 and 3.x kernel that provides a generic way to create virtual layers of block devices. The device mapper crypt target provides transparent encryption of block devices using the kernel crypto API. The solution in this post uses dm-crypt in conjunction with a disk-backed file system mapped to a logical volume by the Logical Volume Manager (LVM). LVM provides logical volume management for the Linux kernel.
The following diagram depicts the relationship between an application, file system, and dm-crypt. Dm-crypt sits between the physical disk and the file system, and data written from the operating system to the disk is encrypted. The application is unaware of such disk-level encryption. Applications use a specific mount point in order to store and retrieve files, and these files are encrypted when stored to disk. If the disk is lost or stolen, the data on the disk is useless.
In this post, I create a new file system called secretfs. This file system is encrypted using dm-crypt. This example uses LVM and Linux Unified Key Setup (LUKS) to encrypt a file system. The encrypted file system sits on the EC2 instance store disk. Note that the internal store file system is not encrypted but rather a newly created file system.
The following diagram shows how the newly encrypted file system resides in the EC2 internal store disk. Applications that need to save sensitive data temporarily will use the secretfs mount point (/mnt/secretfs) directory to store temporary or scratch files.
This solution has three requirements for the solution to work. First, you need to configure the related items on boot using EC2 launch configuration because the encrypted file system is created at boot time. An administrator should have full control over every step and should be able to grant and revoke the encrypted file system creation or access to keys. Second, you must enable logging for every encryption or decryption request by using AWS CloudTrail. In particular, logging is critical when the keys are created and when an EC2 instance requests password decryption to unlock an encrypted file system. Lastly, you should integrate the solution with other AWS services, as described in the next section.
I use the following AWS services in this solution:
The following high-level architectural diagram illustrates the solution proposed in order to enable EC2 instance store encrypting. A detailed implementation plan follows in the next section.
In this architectural diagram:
First, you create a bucket for storing the file that holds the encrypted password. This password (key) will be used to encrypt the file system. Each EC2 instance upon boot copies the file, reads the encrypted password, decrypts the password, and retrieves the plaintext password, which is used to encrypt the file system on the instance store disk.
In this step, you create the S3 bucket that stores the encrypted password file, and apply the necessary permissions. If you are using an Amazon VPC endpoint for Amazon S3, you also need to add permissions to the bucket to allow access from the endpoint. (For a detailed example, see Example Bucket Policies for VPC Endpoints for Amazon S3.)
To create a new bucket:
When an EC2 instance boots, it must read the encrypted password file from S3 and then decrypt the password using KMS. In this section, I configure an IAM policy that allows the EC2 instance to assume a role with the right access permissions to the S3 bucket. The following policy grants the correct access permissions, in which your-bucket-name is the S3 bucket that stores the encrypted password file.
To create and configure the IAM policy:
The preceding policy grants read access to the bucket where the encrypted password is stored. This policy is used by the EC2 instance, which requires you to configure an IAM role. You will configure KMS permissions later in this post.
You now should have a new IAM role listed on the Roles page. ChooseRoles to list all roles in your account and then select the role you just created as shown in the following screenshot.
Next, you use KMS to encrypt a secret password. To encrypt text by using KMS, you must use AWS CLI. AWS CLI is installed by default on EC2 Amazon Linux instances and you caninstallit on Linux, Windows, or Mac computers.
To encrypt a secret password with KMS and store it in the S3 bucket:
The preceding commands encrypt the password (Base64 is used to decode the cipher text). The command outputs the results to a file called LuksInternalStorageKey. It also creates a key alias (key name) that makes it easy to identify different keys; the alias is called EncFSForEC2InternalStorageKey. The file is then copied to the S3 bucket I created earlier in this post.
Next, you grant the role access to the key you just created with KMS:
In this section, you launch a new EC2 instance with the new IAM role and a bootstrap script that executes the steps to encrypt the file system, as described earlier in the Architectural overview section:
You can list the encrypted file systems status. First, SSH to the EC2 instance using the key pair you used to launch the EC2 instance. (For more information about logging in to an EC2 instance using a key pair, see Getting Started with Amazon EC2 Linux Instances.) Then, run the following command as root.
As the commands results should show, the file system is encrypted with AES-256 using XTS mode. XTS is a configuration method that allows ciphers to work with large data streams, without the risk of compromising the provided security.
This blog post shows you how to encrypt a file system on EC2 instance storage by using built-in Linux libraries and drivers with LVM and LUKS, in conjunction with AWS services such as S3 and KMS. If your applications need temporary storage, you can use an EC2 internal disk that is physically attached to the host computer. The data on instance stores persists only during the lifetime of its associated instance. However, instance store volumes are not encrypted. This post provides a simple solution that balances between the speed and availability of instance stores and the need for encryption at rest when dealing with sensitive data.
If you have comments about this blog post, submit them in the Comments section below. If you have implementation questions about the solution in this post, please start a new thread on the EC2 forum.
Want more AWS Security news? Follow us on Twitter.
Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.
- Encryption Software Market Worth $20.1 Billion by 2025 - Exclusive Report by MarketsandMarkets - Yahoo Finance - June 18th, 2020
- Zoom says free users will get end-to-end encryption after all - The Verge - June 18th, 2020
- Zoom To Offer End-To-End Encryption For Video Calls, Trials To Start In July - NDTV - June 18th, 2020
- Encryption Software Market 2020-2025: Types, Services, Cost Structure, Application, Statistics, Emerging Trends And Regional Analysis - Owned - June 18th, 2020
- Zoom to offer end-to-end encryption for all users, trial to begin in July - Reuters India - June 18th, 2020
- Cloud Encryption Market Will Generate Massive Revenue In Future- A Comprehensive Study On Key Players - Surfacing Magazine - June 18th, 2020
- Global Cloud Encryption Gateways Market Research with COVID-19 After Effects - Cole of Duty - June 18th, 2020
- Encryption Software Market 2020 By Trends, Demand, Business Opportunities, Development Factors, Applications, Overview with Competitive landscape... - June 14th, 2020
- IMPACT OF COVID-19 ON Encryption Key Management Software RESEARCH, GROWTH TRENDS AND COMPETITIVE ANALYSIS 2020-2026 - Cole of Duty - June 14th, 2020
- Move over Zoom, this encryption company just released the first fully end to end encrypted conferencing solution #105518 - New Kerala - June 14th, 2020
- Cloud Encryption Software Market to witness high growth in near future - GroundAlerts.com - June 14th, 2020
- Three secure ways to surf the internet - Gadgets Now - June 14th, 2020
- Will Zoom Bring Encryption to the People Who Need It Most? - EFF - June 13th, 2020
- Encryption Software Market Size Scope and Comprehensive Analysis by 2028 - 3rd Watch News - June 13th, 2020
- Federal-grade encryption from the comfort of home - GCN.com - June 13th, 2020
- Hardware-based Full Disk Encryption Market Growth Prospects, Revenue, Key Vendors, Growth Rate and Forecast To 2026 - Jewish Life News - June 13th, 2020
- Congress introduces EARN IT Act, which would end encryption programs but violates the Constitution - NationofChange - June 13th, 2020
- IBM kit wants to keep your data encrypted while in use - ITProPortal - June 13th, 2020
- Commercial Encryption Software Market Growth Prospects, Revenue, Key Vendors, Growth Rate and Forecast To 2026 - Jewish Life News - June 13th, 2020
- Nearly 500,000 say Congress shouldnt kill encryption with the EARN IT Act - The Daily Dot - June 13th, 2020
- COVID-19, Security and WFH: Myths and Misconceptions - Security Boulevard - June 13th, 2020
- Privacy News Online | Weekly Review: June 12th, 2020 - Privacy News Online - June 13th, 2020
- Global Optical encryption Market Insights and Forecast 2020 to 2025 - Jewish Life News - June 13th, 2020
- Hong Kong is number one in Asia for enterprise encryption, with customer personal information the top data protection priority, reports nCipher... - May 27th, 2020
- Are social giants morally obligated to break encryption? - ACS - May 27th, 2020
- Facebook plot to encrypt ALL chats will help child abusers to hide, former police chief warns - The Sun - May 27th, 2020
- Encryption Software Market To Expand At A Robust 14.27% Cagr Of 2020 | Sophos,McAfee,Check Point Software Technologies,Proofpoint,Trend Micro - 3rd... - May 27th, 2020
- Encryption Software Market Forecast Revised in a New Market Expertz Report as COVID-19 Projected to Hold a Massive Impact on Sales in 2020 | Long-term... - May 27th, 2020
- Global Homomorphic Encryption Market Analysis 2020-2025: by Key Players with Countries, Type, Application and Forecast Till 2025 - Cole of Duty - May 27th, 2020
- COVID-19 Impact ON AES Encryption Software Market: Size, Market Analysis, Application, Growth Drivers, Trends, status and Research Report by 2025 -... - May 27th, 2020
- Cloud Encryption Software Market 2020: Potential growth, attractive valuation make it is a long-term investment | Know the COVID19 Impact | Top... - May 27th, 2020
- Global Encryption Key Management Market 2020 Insights, Key Player's Competition, Trends, Sales, Revenue, Supply, Demand, Growth Analysis and Forecast... - May 27th, 2020
- Starting to look at email security. Looking for guidance - Encryption Methods and Programs - BleepingComputer - May 25th, 2020
- Global Cloud Encryption Technology Market Projected to Reach USD XX.XX billion by 2025- Gemalto, Sophos, Symantec, SkyHigh Networks, Netskope etc. -... - May 25th, 2020
- Impact of Covid-19 on Cloud Encryption Technology Market is Expected to Grow at an active CAGR by Forecast to 2025 | Top Players Gemalto, Sophos,... - May 25th, 2020
- Zoom will seek public feedback on plan for stronger encryption - The Indian Express - May 16th, 2020
- Encryption Software Market Research Report 2020 By Size, Share, Trends, Analysis and Forecast to 2026 - Cole of Duty - May 16th, 2020
- Almost half of organisations have been reported to the ICO for a potential data breach - ResponseSource - May 16th, 2020
- VPN Tunnels explained: what are they and how can they keep your internet data secure - TechRadar - May 16th, 2020
- The Week in Ransomware - May 15th 2020 - REvil targets Trump - BleepingComputer - May 16th, 2020
- WhatsApp Video Calls Will Soon Support 50: This Is Why 8s The Limit For Your Security - Forbes - May 16th, 2020
- How to Use Encryption for Defense in Depth in Native and Browser Apps - InfoQ.com - May 14th, 2020
- Analyzing Encrypted RDP Connections - Security Boulevard - May 14th, 2020
- Analysis on Impact of COVID-19-Global Cloud Encryption Software Market 2020-2024| Increasing Use of In-built Cloud Encryption Solutions to Boost... - May 14th, 2020
- Vcrypt ransomware brings along a buddy to do the encryption - Naked Security - May 14th, 2020
- Move over Zoom, this encryption company just released the first fully end to end encrypted conferencing solution - Yahoo Finance - May 14th, 2020
- GovCon Expert Chuck Brooks: Three Steps for Protecting Data in the Public and Private Sectors - GovConWire - May 14th, 2020
- What is the difference between Symmetric and Asymmetric Encryption? - TWCN Tech News - May 14th, 2020
- Encryption Key Management Software Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - Cole of Duty - May 14th, 2020
- IoT Security Solution For Encryption Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - Cole of Duty - May 14th, 2020
- Mobile Encryption Technology Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - Cole of Duty - May 14th, 2020
- Data Encryption Service Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - Cole of Duty - May 14th, 2020
- Congress May Hand Bill Barr the Keys to Your Online Life - The New Republic - May 14th, 2020
- DataLocker Sentry K300 8GB Encrypted Thumb Drive Review - TweakTown - May 14th, 2020
- Hardware Encryption Technology Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - Cole of Duty - May 14th, 2020
- Global Cloud Encryption Software Market SHARE, SIZE 2020| EMERGING RAPIDLY WITH LATEST TRENDS, GROWTH, REVENUE, DEMAND AND FORECAST TO 2026 -... - May 14th, 2020
- Mobile Encryption Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - Cole of Duty - May 14th, 2020
- Hardware Based Encryption Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - Cole of Duty - May 14th, 2020
- Email Encryption Software Market Incredible Possibilities, Growth With Industry Study, Detailed Analysis And Forecast To 2025 - Bulletin Line - May 14th, 2020
- Google Duo is coming to the web via Chrome; features Family mode, end-to-end encryption - Moneycontrol - May 14th, 2020
- Global trade impact of the Coronavirus Commercial Encryption Software Market Applications and Company's Active in the Industry Science Market Reports... - May 2nd, 2020
- Email Encryption Market Growth Opportunities, Challenges, Key Companies, Drivers and Forecast to 2026 Cole Reports - Cole of Duty - May 2nd, 2020
- U.S. Hardware Encryption Market (2019 to 2026) - by Algorithm & Standard, Architecture and Field-Programmable Gate Array, Product, Application,... - May 2nd, 2020
- Innovative Encryption Algorithm Developed in South Korea - BusinessKorea - May 2nd, 2020
- Online course trains students in the bizarre world of quantum computing - Livescience.com - May 2nd, 2020
- Encryption Software Market Growth Opportunities, Challenges, Key Companies, Drivers and Forecast to 2026 Cole Reports - Cole of Duty - May 2nd, 2020
- COVID19 impact: Global Cloud Encryption Software Market Trends (Constraints, Drivers, Opportunities, Threats, Challenges, recommendations and... - May 2nd, 2020
- Review of the iStorage datAshur Pro2, an encrypted thumbdrive for home and work - Neowin - May 2nd, 2020
- Kanguru expands encrypted flash drive range with new 256GB options - Geeky Gadgets - May 2nd, 2020
- Global Encryption Management Solutions Market Size |Incredible Possibilities and Growth Analysis and Forecast To 2026 | Check Point Software... - May 2nd, 2020
- The COVIDSafe app was just one contact tracing option. These alternatives guarantee more privacy - The Conversation AU - May 2nd, 2020
- Data Encryption Service Market Detailed Analysis of Current Industry Figures With Forecasts Growth by 2026| Microsoft, IBM, OneNeck - News Log Book - May 2nd, 2020
- ACLU, EFF still trying to get documents unsealed in Facebook encryption case - CyberScoop - April 29th, 2020
- Advanced Encryption Standard (AES): What It Is and How It Works - Security Boulevard - April 29th, 2020
- How Let's Encrypt changed the web with free, easy encryption - Fast Company - April 29th, 2020
- Group video calls of up to 100 participants, with encryption and noise cancellation - Explica - April 29th, 2020
- Analysis of COVID-19-Encryption Management Solutions Market 2019-2023 | Rising Demand For Digitalization to Boost Growth | Technavio - Yahoo Finance - April 17th, 2020
- Protecting consumers personal data becomes top reason for encryption, global study involving nCipher Security finds - Cambridge Independent - April 17th, 2020
- Signal: Well be eaten alive by EARN IT Acts anti-encryption wolves - Naked Security - April 17th, 2020
- Coronavirus tracing tech policy 'more significant' than the war on encryption - ZDNet - April 17th, 2020