If you are using AWS and care about encryption your data on disk, you probably use EBS encryption feature provided by AWS.
But unfortunatelly it is not available for Instance Store-Backed instances. Using such type of instances could be faster and cheaper (I mean you don’t pay extra for your EBS and corresponding snapshot).
Encryption of rootfs on first boot at initramfs stage.
- dracut-encryptrootfs module for manipulate with disk before it is mounted
- AWS Key Management Service for management key and not to store it on machine
- simple-cloud-encrypt key management implementation what relies on AWS KMS
With dracut-encryptrootfs module we are
/boot and LUKS partition to use it as rootfs.
The detailed description how it works could be found here README.md.
Let us take a look what happens during first boot
During the subsequent boots we are just unlocking LUKS volume and mounting it.
As you can see an actual LUKS key is stored encrypted at
AWS credentials are provided with IAM Roles mechanism.