On May 21st, Amazon Web Services (AWS) added encryption at rest for Elastic Block Store (EBS) data volumes and related snapshots.
Users of AWS can now encrypt data stored on an EBS volume at rest by setting a single option.
Blog Article: http://aws.amazon.com/blogs/aws/protect-your-data-with-new-ebs-encryption/
User Guide: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
Some History of EBS Encryption Solutions
Previously, to encrypt data-at-rest on EBS, companies would have to purchase encryption tools from third parties such as Vormetric (http://www.vormetric.com/), TrendMicro (www.trendmicro.com), or CipherCloud (http://www.ciphercloud.com/) Some sites were also using the Linux tool dm-crypt and LUKS (http://wiki.centos.org/HowTos/EncryptedFilesystem). Alternatively, users were also able to use the transparent database encryption features of Oracle or Microsoft SQL Server.
Amazon added server side encryption to Simple Storage Service (S3) back in 2011 http://aws.amazon.com/blogs/aws/new-amazon-s3-server-side-encryption/ and the technology has been widely used and adopted.
Now, that same industry standard AES-256 encryption is available for EBS volumes and EBS snapshots.
EBS Encryption Solution
Amazon EBS encryption provides a simple encryption solution for Amazon EBS volumes without the need to build, maintain, and secure your own key management infrastructure. When creating an encrypted EBS volume and attaching it to a supported instance type, data is stored at rest on the volume. Disk I/O and snapshots created from the volume are all encrypted using AWS 256-bit encryption, along with secure 256 key that’s automatically generated and transparently maintained by AWS.
Note, that existing EBS volumes can’t be encrypted. You will create a new encrypted EBS volume and copy your existing data into the volume using rsync or robocopy.
HIPAA
EBS encryption is excellent news for companies trying to meet the HIPAA breach notification safe harbor requirements for “secured PHI“.
There seems to be little disadvantage of encrypting EBS volumes. Encryption is performed by the EC2 instance and there may be a minor performance hit — for that reason, encryption is not available on micro or small EC2 instances. The “boot volume” is not encyrpted — just the EBS data volume.
Remember, if you plan to store Protected Health Information (PHI) anywhere in your Amazon cloud, you must enter into a Business Associate Agreement (BAA) with Amazon. Contact Double-Helix to assist you in getting your BAA in place with Amazon and properly classifying your confidential and PHI data.
Encryption Key Rotation
Our guess is that Amazon does rotate the master keys for encrypted volumes in the same manner as for S3 http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html but we will need to confirm.
In the future, there is speculation that Amazon may allow customers to manage their own keys their Cloud HSM hardware — but there is a cost to that feature. While such a feature is not available for S3, they already allow customer key management for RedShift for example: http://docs.aws.amazon.com/redshift/latest/mgmt/working-with-HSM.html
While enterprise customers with “hybrid” data encryption requirements on-site and in the cloud, or for customers who insist that Amazon can’t have the keys. For most customers, it’s probably less risky to let Amazon manage encryption and rotate keys on their behalf.
Expect there to be more news and discussion regarding best practices and strategies for rotating encryption keys.
