2

Would love it if someone could help me out with this:

The setup is a distributed LAMP architecture hosted on Amazon EC2 instances. MySQL Percona. We use Amazon's EBS snapshots for backups. We have a security requirement for encryption of sensitive data. \

1) Is it possible to encrypt EBS snapshots and not the EBS filesystem from which the snapshots are taken? If so, how? 2) If not, what are the industry standards for encrypting MySQL databases in EC2 + EBS and what are the performance trade-offs for these different methods?

d.howser
  • 21
  • 3
  • if your requirements state that the data must be encrypted, how is it encrypted in the production state? Is it encrypted through the built-in MySQL features or through a standard disk level encryption? – Patrick Aug 13 '12 at 17:11
  • For people landing here please note that AWS do support EBS volume encryption now. Snapshots created from encrypted volume are encrypted as well. [read more](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) AWS manages the keys for you - for many people that would be a blessing, as they will probably do a better job than you. For privacy advocates/ anti NSA/Patriot act people- that would be a deal breaker. – Froyke Jun 04 '14 at 17:13

2 Answers2

4

note: This answer was correct at the time of posting. Amazon has since added EBS encryption as a feature.

Answers:

[1] No, and here's why -- http://aws.amazon.com/ec2/faqs/#Do_you_offer_encryption_on_Amazon_EBS_volumes_or_snapshots

[2] For encrypting databases, you will also have to encrypt the connection which if you use RDS is supported -- http://aws.amazon.com/rds/faqs/#53 and if you use your own MySQL on an instance, you can set it up to accept SSL connections.

For encrypting mysql database itself, see -- http://thinkdiff.net/mysql/encrypt-mysql-data-using-aes-techniques/ which uses AES 128 which is FIPS approved. This may help as well -- http://planet.mysql.com/?tag_search=6679

ceejayoz
  • 32,910
  • 7
  • 82
  • 106
Chida
  • 2,491
  • 1
  • 17
  • 29
1

You haven't provided enough details about your security requirements for a complete answer, but one straightforward way to make sure that your MySQL snapshots are encrypted is to save the MySQL database on top of an encrypted block device on top of an EBS volume.

You can do this with cryptsetup/LUKS which supports industry standard encryption.

The layers would look like this:

3 - Database files

2 - File system (XFS or ext4)

1 - Encrypted block device (cryptsetup)

0 - EBS volume (/dev/xvdX or /dev/sdX)

Everything sent to EBS would then be encrypted including the snapshots.

Eric Hammond
  • 11,163
  • 1
  • 36
  • 56