3

I'm trying to figure out how best to protect the data of a single Windows Server 2012 instance on AWS and according to "AWS_Securing_Data_at_Rest_with_Encryption.pdf" it says:

"Encrypting Amazon EBS volumes attached to Windows instances can be done using BitLocker or Encrypted File System (EFS) as well as open source applications like TrueCrypt. In either case, you still need to provide keys to these encryption methods and you can only encrypt data volumes."

"Both Trend Micro SecureCloud and SafeNet ProtectV are two such partner products that encrypt Amazon EBS volumes and include a KMI. Both products are able to encrypt boot volumes in addition to data volumes."

So without the above mentioned SaaS encryption products is there no free way to protect the boot volume?

joshu
  • 791
  • 3
  • 12
  • 28

3 Answers3

3

This is an old question, but another way to protect your data at rest would be to create a second volume on your EC2 instance and encrypt that volume with BitLocker.

user1914368
  • 41
  • 4
1

BitLocker would be the best solution in my personal experience with drive encryption in general. The issue with BitLocker is it requires a TPM, I don't know if AWS's hardware presents a TPM or not. If it doesn't I would say TrueCrypt is next best option but requires you to type in the decryption password every time you start the machine.

Austin Harsh
  • 51
  • 2
  • 5
  • 1
    You can disable Bitlockers TPM requirement if you want. http://technet.microsoft.com/en-us/library/c61f2a12-8ae6-4957-b031-97b4d762cf31#BKMK_S5 – Cromulent Jan 23 '14 at 09:40
  • Correct, but as far as my question relating to encrypting the boot volume I don't see how I can use BitLocker. As AWS does not provide console access to an instance I will never be able to enter the encryption passphrase when the instance reboot. – joshu Jan 23 '14 at 22:10
  • TrueCrypt is discontinued and should not be used anymore. Please see also http://truecrypt.sourceforge.net/ – Marcel Janus May 28 '15 at 14:29
0

AWS now provides volume-level encryption for EBS data volumes. Just check the box when creating the volume.

FYI: I've run some fairly intensive performance measurements using CrystalDiskMark comparing EBS without any encryption, EBS with BitLocker, and EBS with AWS encryption, with ST1, GP2, and IO1 volumes with various IOPS levels.

My conclusion is that BitLocker uses roughly .1 cpu-core% per MB/sec read and about .4 cpu-core% per MB/sec written. BitLocker also has a 15% write throughput penalty (ie. peak MB/sec is 15% less with BitLocker).

EBS encryption uses about 1/10 as much CPU as BitLocker and appears to have about half the write throughput penalty, so unless there is some reason outside of performance and cost to use BitLocker, EBS encryption is the way to go.

My testing was done on an i3.4xL (cpu-core % may vary somewhat on i2, i4, and other types of instances).

James
  • 363
  • 2
  • 4
  • 16