0

I am tinkering with EBS encryption volumes. But I'm struck and fail to understand how it works.

I have two user accounts xyz and abc with admin access which are created from root account .

I have created a key from xyz account, say xyz-key and encrypted a volume vol-xyz using it and added few files to it. xyz-key has both Key Admin and Key user as the user xyz.

Now I've logged into console as abc user, detached vol-xyz and mounted on to a different instance. Now when I tried to access the content on the volume, all the files are available and not encrypted.

Shouldn't the volume has to be encrypted?

Surya Teja Vemparala
  • 1
  • Decrypting the volume requires the key. That tells me both of your EC2 instances have access to that key. I assume you haven't restricted access to that key, or perhaps there's an IAM Role the instance uses. I would start by looking in KMS and IAM to see what the access is. – Tim Jul 22 '17 at 20:34

2 Answers2

2

When you encrypt a volume using KMS encryption, the data is encrypted when it's "at rest". This means, the data is encrypted when it's sitting on the EBS volume hardware. Not when you're accessing it from an EC2 instance. When you read blocks from the EBS volume, the EC2/EBS system will automatically decrypt the data and present it to you unencrypted.

The data is encrypted at the block level, not at the file-system level. By the time your Linux/Windows EC2 instance "sees" the blocks, the data has already been decrypted.

Important: You will never see the data in it's encrypted form.

KMS encrypting an EBS volume is not hiding data from other people who access your EC2 instance.

KMS encrypting an EBS volume is not hiding data when the volume is attached to another EC2 instance.

KMS encrypting an EBS volume does hide data from someone who gains access to the EBS volume hardware directly.

KMS encrypting an EBS volume does hide data if the person starting the EC2 instance does not have access to the KMS key. In this case, the EC2 instance will not start.

Once the EC2 instance is started and running, anyone with access to the EC2 instance will have access to the EBS volume. And the data will never appear encrypted to you.

Matt Houser
  • 10,053
  • 1
  • 28
  • 28
0

KMS encrypting an EBS volume does hide data if the person starting the EC2 instance does >> not have access to the KMS key. In this case, the EC2 instance will not start.

I am not sure this is entirely correct. As long as the EC2 instance has access to the KMS key (runs under a role that has KMS access), it shouldn't matter what the user credentials are (the user should just need EC2 access).

Does that sound right?

user2736158
  • 101