Amazon Elastic Block Storage encryption explained

Amazon EBS encryption is now offered by AWS. Expert Dave Shackleford explains how it works, why companies might struggle with it and whether it brings the industry one step closer to default cloud data encryption.

In May 2014, Amazon Web Services announced the availability of a new encryption offering that allows users to easily...

decrypt any Elastic Block Storage (EBS) volume controlled within AWS.

Amazon EBS joins Amazon's other encryption options, including Server-Side Encryption for S3 and Glacier storage, encryption within Amazon RedShift and SQL Server, and Oracle database encryption within Amazon Relational Database Service (RDS). Is the new offering yet another step in moving cloud storage toward default encryption?

It seems so with Amazon's move in this direction led by its CTO, Werner Vogels. In an interview with MIT Technology Review, Vogels states that security is Amazon's "… No. 1 priority … We really want the cloud to be the place where you want to keep your data if you want to have total control over who has access to it."

One of the biggest barriers to cloud adoption is the perceived lack of security in controlling data security.

One of the biggest barriers to cloud adoption is the perceived lack of security in data security control, particularly when cloud providers can access and potentially control the encryption keys used to protect the data. Numerous cloud technologies from vendors like CipherCloud Inc., Perspecsys Inc., Porticor Ltd. and others aim to help organizations gain control over cloud data encryption already, but some cloud service providers, like Amazon, seem to be offering more built-in features that accomplish the same goals.

EBS encryption: How it works

How does the new Amazon EBS encryption work? EBS volumes are the equivalent of additional hard drives that can attach to Elastic Compute Cloud (EC2) virtual machines. With the new EBS encryption, neither the boot volume nor the drive where the EC2 instance's OS is installed can be encrypted. Any additional volumes attached to the instance can easily be encrypted.

Creating the encrypted volume is simple and straightforward. The easiest approach is to check a single checkbox in the "Create Volume" configuration pane during volume instantiation. Along with volume type, size, performance specifications and availability zone, a new option appears that allows encryption from the beginning.

Creating an encrypted EBS volume
Creating an encrypted EBS volume


A variety of API methods can also be used to create the encrypted volume and access it. All encryption is applied with a unique 256-bit Advanced Encryption Standard key -- this also applies to EBS volume snapshots -- that meets best practices for security and compliance today.

EBS encryption drawbacks

One of the biggest drawbacks of Amazon EBS encryption is its inability to encrypt existing EBS volumes. In its current form, customers must create a new encrypted volume first, then use tools like Robocopy or rsync to copy existing data over into the new volume from their instances. The old volume then can be deleted. While not a showstopper, this could be an operational hurdle for some.

Another significant downside to EBS encryption is key management. Currently, Amazon manages and retains all control over the keys used for EBS encryption, which means customers lack total assurance that their data is safe. The likelihood of compromise is low, given Amazon's maturity and stringent security standards, but there are still unknowns that will prevent some organizations from storing data in EBS. While Amazon asserts that encryption does not impact the I/O and performance of EBS volumes, it's wise for customers to test the results first before implementing Amazon EBS encryption in production workloads.


Recently, Amazon implemented server-side encryption for S3 buckets, with customer ownership and retention of keys. Redshift and RDS also allow for customer key management, as does the new CloudHSM service Amazon offers. This is the likely direction for all future cloud storage offerings in Amazon, as well as a trend that other cloud service providers will assuredly follow. Once encryption is universally available, with customer-managed keys, cloud services will indeed be one step closer to being encrypted by default.

About the author:
Dave Shackleford is the owner and principal consultant of Voodoo Security LLC; lead faculty at IANS; and a SANS analyst, senior instructor and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He previously worked as CSO at Configuresoft; as CTO at the Center for Internet Security; and as a security architect, analyst and manager for several Fortune 500 companies. Dave is the author of the Sybex book Virtualization Security: Protecting Virtualized Environments, as well as the co-author of Hands-On Information Security, from Course Technology. Recently, he co-authored the first published course on virtualization security for the SANS Institute. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.

Next Steps

Curious about possible AWS weaknesses and their implications? Check out this article.

This was first published in August 2014

Dig Deeper



Find more PRO+ content and other member only offers, here.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: