Amazon EBS - Encryption

• Data at rest is encrypted on the volume.

• Data in transit between the instance and the volume is encrypted.

• All snapshots created from the volume are encrypted.

• All volumes created from encrypted snapshots are also encrypted.

• Encryption and decryption are transparent to the user (no code changes required).

• Negligible performance impact.

• Uses AWS KMS with AES-256 encryption keys.

• You can encrypt an unencrypted snapshot when making a copy.

• Snapshots of encrypted volumes are always encrypted.

Encrypting an Existing Unencrypted EBS Volume

1. Create a snapshot of the unencrypted volume.

2. Copy the snapshot and enable encryption.

3. Create a new volume from the encrypted snapshot.

4. Attach the encrypted volume to the instance as needed.