About Encrypted EBS
Encrypted EBS feature guarantees data at rest encryption. That means anything saved on the volume will be protected automatically as long as it resides on the volume.
Risks for Unencrypted Volumes
By encrypting volumes, you have them protected against the below threats;
- The loss of control of storage media
- The loss of control on storage media at where the snapshots created from the volume resides.
- Compromise of the networks attached to the storage systems
Supported Instance Types and Roles
EBS encryption is supported on 3rd Generation instances (M3/C3/R3/T2) and newer. For a current list of instances please see this AWS document. It should be noted that on smaller T2 instances encryption can have a negative affect on performance and may in some cases consume CPU burst credits.
Encrypted EBS can be used with any instance role (Database, Application, Utility) selectively. For application and utility instances, encryption can be used on a case by case basis unless you set the 'Encrypt All Instances' option on the Edit Environment page.
If enabled, a key icon next to the instance names will appear on the environment page, which means the volumes are encrypted.
Encrypted EBS feature provides the same IOPS performance on encrypted volumes as on unencrypted volumes, with a minimal effect on latency and at no additional cost.
Enable Encrypted EBS
For environment-wide forced encryption on a new environment you can select to encrypt either just db volumes or all mounted volumes on the Environment Creation page. When all volumes is selected, the mount points /db, /data, /mnt, and swap will be encrypted. At this time the root volume is not encrypted on Engine Yard instances.
It is not possible to convert an existing unencrypted volume to an encrypted state, thus an existing instance cannot be encrypted and replacement instances must be booted.
If encryption is only required for a specific application or utility instance, encryption can be selected on the Add page. Using this method will encrypt /data, /mnt, and swap, but not the root volume. Encrypted volumes can only be created as new volumes or from encrypted snapshots, so if you require to inherit data you must encrypt an existing snapshot as detailed below.
Database replicas require to use the DB master snapshot, therefore you cannot create an encrypted replica from an unencrypted master. If you are looking to provision an encrypted DB replica please contact Support.
For All New instances
To force all new instances in an environment to have either /db or all mounted volumes to be encrypted then the required option must be selected on the Edit Environment page. When all volumes is selected, the mount points /db, /data, /mnt, and swap will be encrypted. At this time the root volume is not encrypted.
Note: As existing instances cannot be encrypted, the ability to enable encryption on a running environment is disabled. If you require to enable encryption on an existing environment either terminate the environment, enable the setting and boot the environment again, or contact Support in order that they can enable the setting on the live environment and guide you through the process of cycling the existing instances.
Once encryption has been enabled application and utility instances added to the environment will have encrypted /data, /mnt, and swap, but not the root volume. The /data volumes can then only be created as new volumes or from encrypted snapshots, so if you require to inherit data you must encrypt an existing snapshot as detailed below.
Database replicas require to use the DB master snapshot, therefore you cannot create an encrypted replica from an unencrypted master. The platform does not restrict this action however, so if you attempt to boot a DB replica after enabling environment-wide encryption the instance will attempt to boot with encrypted volumes, but the /db volume creation stage will fail at AWS. If you are looking to provision an encrypted DB replica please contact Support.
If you wish to boot new application and utility instances with encrypted volumes using a snapshot from an existing un-encrypted instance then you must encrypt the existing snapshot. Snapshots can be encrypted from the Snapshots page for each Environment and new snapshots can be taken for the environment if required using the Snapshot button at the top of each Environment page. Once a snapshot has been encrypted you will be offered it as a snapshot for the instance type on the Add page.
As above, booting a DB replica does not allow you to select the snapshot, so this method is not valid for adding encrypted replicas. Please contact Support if you require to do this.
Database Backups & Replicas
Backups of data should also be taken into consideration to ensure data at rest encryption, as well as the volumes. It is a very straightforward process as covered on this article.
Any replicas added to a master DB which already has an encrypted volume will use encryption automatically.