EBS 2

Question 1

Encryption

How are volumes encrypted?

Answer 1

With KMS key (no SSE-S3 equiv.)

Question 2

Encryption

Low-level, what’s the encryption architeucture for EBS?

Answer 2

Data Encryption Key (DEK) stored on volume. DEK encrypted by KMS.

Question 3

Encryption

What happens when EC2 mounts an encrypted EBS volume?

Answer 3

/EC2/ gets KMS key and decryptes the DEK. EC2 low-level does the decryption.

Question 4

Encryption

What data is encrypted / managed by KMS for EBS?

Answer 4

ONLY the DEKs. KMS doesn’t do anything with data.

Question 5

Encryption

Why is storing the DEK with the volume secure?

Answer 5

Steal a volume: data encrypted by DEK, DEK encrypted by KMS. … good luck :-)

Question 6

Encryption

Are DEKs shared between any volumes?

Answer 6

Each volume gets a unique DEK unless it’s a clone from a snapshot since the snapshot contains the original (encrypted) DEK.

Question 7

Encryption

How do you add/remove encryption on an EBS volume?

Answer 7

You don’t…period. Mount on EC2, use dd(1) to duplicate onto (un)encrypted volume.

Question 8

Encryption

How is the OS involved with encrypted EBS volumes?

Answer 8

Not at all. Encryption is in the EC2 product on droplets, not part of OS or EBS product.

Question 9

Encryption

Encryption strength for EBS?

Answer 9

AES-256

Question 10

Encryption

What is the cost for encrypted EBS volumes?

Answer 10

zero

Question 11

Encryption

What do you do inside the EC2 OS when you turn on EBS encryption?

Answer 11

Nothing: encryption happens outside the guest OS; volume appears unencrypted to OS.

Question 12

Encryption

What should you do if you’re security conscious and launch lots of EC2?

important

Answer 12

Set account-wide default to encrypt EBS by default with KMS shared key.