AWS KMS keys are your secret sauce for encrypting EBS volumes, and the magic happens at the block level before data even hits the disk.
Let’s see this in action. Imagine you’re spinning up a new EC2 instance with an EBS volume. When you create the volume, you specify a KMS key.
aws ec2 create-volume \
--availability-zone us-east-1a \
--size 100 \
--encrypted \
--kms-key-id arn:aws:kms:us-east-1:123456789012:key/abcdef12-3456-7890-abcd-ef1234567890
In this command:
--availability-zone: Specifies where the volume will live.--size 100: Sets the volume to 100 GiB.--encrypted: This flag tells AWS to encrypt the volume.--kms-key-id: This is the crucial part. It points to your AWS KMS Customer Master Key (CMK). If you omit this, AWS will use a default EBS encryption key managed by AWS for you.
Once created, any data written to this volume is encrypted by KMS before it’s written to the physical disk. When data is read, it’s decrypted by KMS on the fly. The EC2 instance performing the read/write needs to have permissions to use the specified KMS key.
The problem this solves is data at rest security. If an EBS volume is physically detached from an instance and stolen, or if the underlying storage media fails and is recovered, the data remains unreadable without the KMS key. This is paramount for compliance requirements like HIPAA, PCI DSS, and GDPR.
Internally, when you specify a KMS key for EBS encryption, AWS performs a two-tiered encryption process. First, it generates a unique data encryption key (DEK) for that specific volume. This DEK is used to encrypt all data blocks on the volume. Then, this DEK itself is encrypted by your specified KMS CMK. When you need to access data, the KMS CMK is used to decrypt the DEK, which then allows the DEK to decrypt the actual data blocks. This means your CMK is only used to encrypt and decrypt the DEKs, not every single byte of data on the volume, making the process highly efficient.
You can also encrypt existing unencrypted EBS volumes by creating a snapshot of the unencrypted volume, then creating a new encrypted volume from that snapshot, specifying your KMS key during the volume creation.
The most surprising thing is that the KMS key itself isn’t directly used to encrypt your EBS data. Instead, AWS KMS generates a unique data encryption key (DEK) for each EBS volume. This DEK is then encrypted by your KMS CMK. Your EC2 instance uses the KMS CMK to decrypt the DEK, and it’s this DEK that’s used to encrypt/decrypt the actual data blocks on the volume. This design minimizes the calls to KMS for every I/O operation, improving performance.
If you’re managing many volumes, you’ll soon want to explore automating EBS volume encryption across your AWS account using AWS Config rules.