Volume encryption for AWS
You can encrypt disks in AWS using the following methods:
Default encryption, using Platform Managed Key (PMK).
Customer Managed Encryption Key (CMEK), using AWS KMS.
For more information on AWS encryption, see 'Amazon EBS encryption' section of the Amazon Elastic Compute Cloud User Guide for Linux Instances.
Table: Encryption for creating snapshots
Disk encryption | Snapshot encryption |
|---|---|
Platform Managed Key (PMK) | Same PMK is used as the source disk. |
CMEK | Same CMEK is used as the source disk. |
Table: Encryption for restoring snapshots
Snapshot encryption | Restored disk encryption |
|---|---|
PMK | Same PMK is used as the snapshot. |
CMEK | Same CMEK is used as the snapshot. |
Table: Encryption for restoring from backup
Snapshot encryption | Restored disk encryption |
|---|---|
PMK | Same PMK is used as the source disk. |
CMK | Same CMK is used as the source disk. |
Table: Encryption during VM restore from snapshot or backup
Snapshot encryption | Restored disk encryption |
|---|---|
None | Applicable for non encrypted disk. |
PMK | Encryption on disk can be PMK/CMK as per user selection during restore. |
CMK | Encryption on disk can be PMK/CMK as per user selection during restore. |