Encryption of rootfs in AWS EC2 Instance Store-Backed images
Problem
If you are using AWS and care about encryption your data on disk, you probably use EBS encryption feature provided by AWS.
But unfortunatelly it is not available for Instance Store-Backed instances. Using such type of instances could be faster and cheaper (I mean you don’t pay extra for your EBS and corresponding snapshot).
Solution
Encryption of rootfs on first boot at initramfs stage.
Components
- dracut-encryptrootfs module for manipulate with disk before it is mounted
- AWS Key Management Service for management key and not to store it on machine
- simple-cloud-encrypt key management implementation what relies on AWS KMS
All together
With dracut-encryptrootfs module we are
creating /boot
and LUKS partition to use it as rootfs.
The detailed description how it works could be found here README.md.
Let us take a look what happens during first boot
During the subsequent boots we are just unlocking LUKS volume and mounting it.
As you can see an actual LUKS key is stored encrypted at /boot
partition.
AWS credentials are provided with IAM Roles mechanism.
subscribe via RSS