Problem

If you are using AWS and care about encryption your data on disk, you probably use EBS encryption feature provided by AWS.

But unfortunatelly it is not available for Instance Store-Backed instances. Using such type of instances could be faster and cheaper (I mean you don’t pay extra for your EBS and corresponding snapshot).

Solution

Encryption of rootfs on first boot at initramfs stage.

Components

  1. dracut-encryptrootfs module for manipulate with disk before it is mounted
  2. AWS Key Management Service for management key and not to store it on machine
  3. simple-cloud-encrypt key management implementation what relies on AWS KMS

All together

With dracut-encryptrootfs module we are creating /boot and LUKS partition to use it as rootfs.

The detailed description how it works could be found here README.md.

Let us take a look what happens during first boot First boot diagram

During the subsequent boots we are just unlocking LUKS volume and mounting it. Second boot diagram

As you can see an actual LUKS key is stored encrypted at /boot partition.

AWS credentials are provided with IAM Roles mechanism.