EBS 2 Flashcards
Encryption
How are volumes encrypted?
With KMS key (no SSE-S3 equiv.)
Encryption
Low-level, what’s the encryption architeucture for EBS?
Data Encryption Key (DEK) stored on volume. DEK encrypted by KMS.
Encryption
What happens when EC2 mounts an encrypted EBS volume?
/EC2/ gets KMS key and decryptes the DEK. EC2 low-level does the decryption.
Encryption
What data is encrypted / managed by KMS for EBS?
ONLY the DEKs. KMS doesn’t do anything with data.
Encryption
Why is storing the DEK with the volume secure?
Steal a volume: data encrypted by DEK, DEK encrypted by KMS. … good luck :-)
Encryption
Are DEKs shared between any volumes?
Each volume gets a unique DEK unless it’s a clone from a snapshot since the snapshot contains the original (encrypted) DEK.
Encryption
How do you add/remove encryption on an EBS volume?
You don’t…period. Mount on EC2, use dd(1) to duplicate onto (un)encrypted volume.
Encryption
How is the OS involved with encrypted EBS volumes?
Not at all. Encryption is in the EC2 product on droplets, not part of OS or EBS product.
Encryption
Encryption strength for EBS?
AES-256
Encryption
What is the cost for encrypted EBS volumes?
zero
Encryption
What do you do inside the EC2 OS when you turn on EBS encryption?
Nothing: encryption happens outside the guest OS; volume appears unencrypted to OS.
Encryption
What should you do if you’re security conscious and launch lots of EC2?
important
Set account-wide default to encrypt EBS by default with KMS shared key.