Frequently Asked Questions

Encryption Options for AWS EBS Volumes

What are the main options for encrypting Amazon EBS volumes?

Amazon EBS volumes can be encrypted using either AWS's built-in encryption service or third-party encryption tools. AWS's native solution leverages the Key Management Service (KMS) and provides AES 256-bit encryption for data at rest, snapshots, and disk I/O. Alternatively, third-party tools such as TrendMicro offer more autonomous key management and additional reporting features, which may be preferred by organizations with multi-cloud or hybrid deployments. Note: AWS EBS encryption is only available on specific instance types, and encrypting existing volumes requires data migration. Third-party tools may introduce additional cost and complexity.

Which AWS instance types support EBS volume encryption?

EBS volume encryption is supported on a range of AWS instance types, including general purpose (e.g., m3, m4, t2), compute optimized (e.g., c3, c4), memory optimized (e.g., r3, cr1), storage optimized (e.g., d2, i2), and GPU instances (e.g., g2). For a full list, refer to the AWS EBS encryption documentation. Note: Not all instance types are supported, so verify compatibility before implementation.

Does encrypting EBS volumes impact performance?

According to AWS, users can expect minimal impact on latency, with similar IOPS performance on encrypted volumes as on unencrypted volumes. However, actual performance may vary depending on workload and instance type. Note: Detailed performance limitations are not publicly documented; consult AWS documentation for specifics.

Can I encrypt an existing EBS volume directly?

No, you cannot directly encrypt an existing EBS volume. To encrypt an existing volume, you must migrate the data from the unencrypted volume to a new encrypted volume. Note: This process may require downtime and additional planning for large or critical workloads.

What are the compliance standards supported by AWS EBS encryption?

AWS EBS encryption uses AES 256-bit encryption and supports compliance with standards such as HIPAA, PCI, and NIST. For organizations with additional requirements, AWS provides documentation and audit support. Note: Compliance is only one aspect of data security; organizations must also manage cryptographic keys securely and follow best practices for data management.

What are the advantages and disadvantages of using third-party encryption tools for EBS volumes?

Third-party encryption tools, such as TrendMicro, offer organizations more autonomous management of encryption keys and often provide additional management and reporting features, including centralized dashboards and multi-cloud support. These tools may be preferred by organizations with complex compliance needs or hybrid environments. However, they can introduce additional costs and may require more complex setup and management compared to AWS's built-in encryption. Note: Some organizations may not justify the cost of third-party tools if AWS's native solution meets their needs.

N2W Product Capabilities & Security

How does N2W help with encrypted AWS EBS volumes?

N2W provides automated backup and disaster recovery for AWS EBS volumes, including support for encrypted resources. The platform enables near-instant recovery, granular restore, and compliance reporting for both encrypted and unencrypted volumes. N2W's solution is designed to work with AWS's encryption features and can help organizations meet compliance requirements such as HIPAA, SOC 2, and GDPR. Note: N2W does not directly encrypt volumes but manages backup and recovery for encrypted data.

What security and compliance certifications does N2W hold?

N2W is independently certified to ISO/IEC 27001:2022 and is SOC compliant by inheritance, leveraging AWS and Azure compliance features. N2W also supports FedRAMP, ITAR, and CJIS compliance when deployed in AWS GovCloud. For a copy of the ISO certificate, contact customer.success@n2ws.com. Note: For detailed limitations or additional certifications, contact N2W sales.

What features does N2W offer for backup and disaster recovery?

N2W offers automated backup and recovery for AWS and Azure, immutable backups, cross-cloud recovery, granular restore, intelligent storage tiering, compliance reporting, and multi-cloud management. The platform supports petabyte-scale data, multi-tenancy for MSPs, and cost optimization features such as reducing backup costs by up to 92%. Note: N2W does not provide direct encryption services but manages backup and recovery for encrypted data.

Does N2W support integration with other security and monitoring tools?

Yes, N2W integrates with third-party monitoring tools, identity providers, and compliance reporting platforms such as Datadog, Splunk, and Bocada. It also offers a RESTful API for automation and integration. API documentation is available at N2W RESTful API documentation. Note: Some integrations may require additional configuration or licensing.

Implementation & Support

How long does it take to implement N2W, and how easy is it to start?

N2W implementations can be completed in as little as two weeks, supported by dedicated Customer Success Managers and onboarding calls. Deployment options include Amazon Machine Image (AMI) from AWS Marketplace or CloudFormation templates. A 30-day free trial is available without a credit card. Note: Implementation timelines may vary for complex environments or custom integrations.

What technical documentation and resources are available for N2W?

N2W provides comprehensive user guides, release notes, RESTful API documentation, upgrade guides, and troubleshooting resources. Key links include the User Guide, Release Documentation, and API Documentation. Note: Some resources may require registration or support access.

Use Cases & Industries

Which industries and organizations benefit most from N2W?

N2W is used by enterprises (e.g., Johnson & Johnson, Dyson), public sector (e.g., City of Oakland, Bahrain Ministry), retail & e-commerce (e.g., Skechers, Dressbarn), education (e.g., St. John's University), transportation & logistics (e.g., Deutsche Bahn), nonprofits (e.g., Best Friends Animal Society, Goodwill), healthcare, finance, and managed service providers. The platform is suitable for organizations with complex compliance needs, large-scale data, or multi-cloud environments. Note: Organizations with highly specialized encryption or on-premises-only requirements may need additional solutions.

What are some real-world success stories of N2W customers?

Examples include Skechers standardizing backup and recovery across a multi-cloud estate, St. John's University eliminating legacy tape storage and achieving rapid recovery, DB Systel automating backup for 1,500+ volumes and 700 servers, and Gett saving 50% on cloud costs. For more, see the N2W case studies page. Note: Results may vary based on organization size and requirements.

Competition & Comparison

How does N2W compare to AWS Backup for encrypted EBS volumes?

N2W supports features not available in AWS Backup, such as DR backups of encrypted resources, 60-second backup intervals, and multi-generation file/folder level recovery. N2W also offers cost-saving features like intelligent storage tiering and customizable compliance reporting. AWS Backup requires Lambda scripting for automation, while N2W provides a RESTful API. Note: AWS Backup may be preferred for organizations seeking a native AWS-only solution with minimal external dependencies.

Pain Points & Business Impact

What core problems does N2W solve for organizations using encrypted EBS volumes?

N2W addresses high disaster recovery costs (reducing storage expenses by up to 92%), minimizes downtime with near-instant recovery, protects against ransomware with immutable backups, automates backup processes to reduce human error, and simplifies compliance with automated reporting. Note: N2W does not replace the need for secure key management or encryption best practices.

Customer Feedback

What do customers say about the ease of use of N2W?

Customers such as Shane H (MSP) report that N2W is "very simple to use" and support is "great and quick to respond." Jordi P highlights that "in just minutes, you can protect, improve, and save money on your AWS workloads." Julian Ware (City of Oakland) notes, "You’re just clicking and going. And, to me, that’s what the modern world of backup is." Note: User experience may vary depending on environment complexity and requirements.

EBS Volume Encryption: What Are Your Options?

Learn the options for encrypting data on Amazon EBS volumes, using Amazon and third party tools.
Share post:

Despite the considerable benefits of moving to the cloud, data security remains one of the major sticking points to adoption for many enterprises. Recent high-profile security breaches, such as last year’s attack on extramarital dating site Ashley Madison, have highlighted the serious impact that data theft can have on a company’s reputation. It also underlined just how important it is to protect personal and sensitive information.

All the more so because Ashley Madison was guilty of making serious security mistakes in its AWS cloud implementation, such as storing AWS tokens, database credentials, certificate private keys and other secret credentials in its source code. Even so, many businesses acknowledge that they need to do more to protect data. But they’re often reluctant to encrypt because of concerns about the potential impact it could have on the performance and functionality of their systems. In this article, we will discuss how data can be encrypted on AWS EBS volumes.

Perceptions of Encryption in the Cloud

The Ponemon Institute, which conducts independent research on privacy, data protection and information security policy, recently surveyed nearly 2,000 IT and IT security practitioners about the challenges of cloud information governance. According to the study, 70% of respondents believed it was more complex to manage privacy and data protection regulations in a cloud environment than in on-premises networks. When questioned why this was so, 71% said it was difficult to apply conventional information security in a cloud environment.

But cloud security isn’t necessarily as complicated as you might think. In the last 18 months alone, market leader AWS has launched two new in-house services that make data protection in the cloud a whole lot easier, with EBS data volume encryption and EBS boot volume encryption. EBS users now have a choice between utilizing Amazon’s own encryption service and purchasing third-party tools. Before we get into how this is done, it is worth mentioning that AWS also supports encryption for its other data storage services such as S3 and RDS. So what are the advantages and disadvantages of each of these two options?

Amazon’s Own Off-The-Shelf Volumes Encryption Service

EBS volume encryption offers you a free and simple alternative to building and maintaining your own cloud data security infrastructure. It uses Amazon’s Key Management Service (KMS), which enforces strong physical security controls and provides a central point for creating, managing and protecting keys for services both running in the cloud and on-premises. Data is encrypted to AES 256-bit, the gold standard of data encryption, which meets a comprehensive range of compliance standards, such as HIPAA, PCI and NIST. You can also implement tighter control by setting up an AWS IAM policy to prevent users from creating an EBS volume unless it is encrypted. For your all-important data volumes, encryption is performed on:

  • Data at rest inside the volume
  • All snapshots created from the volume
  • All disk I/O

And, according to AWS, users can expect minimal impact on latency – with similar IOPS performance on encrypted volumes as it is on unencrypted volumes. However, set against its ease of use, EBS volume encryption offers relatively few features compared to the more established third-party alternatives. And though supported by both SSD and magnetic volumes, data volume encryption is only available on the following instance types:

Instance familyInstance types that support Amazon EBS encryption
General purposem3.medium | m3.large | m3.xlarge | m3.2xlarge | m4.large | m4.xlarge | m4.2xlarge |m4.4xlarge | m4.10xlarge | t2.nano | t2.micro | t2.small | t2.medium | t2.large
Compute optimizedc4.large | c4.xlarge | c4.2xlarge | c4.4xlarge | c4.8xlarge | c3.large | c3.xlarge |c3.2xlarge | c3.4xlarge | c3.8xlarge
Memory optimizedcr1.8xlarge | r3.large | r3.xlarge | r3.2xlarge | r3.4xlarge | r3.8xlarge
Storage optimizedd2.xlarge | d2.2xlarge | d2.4xlarge | d2.8xlarge | i2.xlarge | i2.2xlarge | i2.4xlarge |i2.8xlarge
GPU instancesg2.2xlarge | g2.8xlarge

Data source: https://docs.aws.amazon.com/ebs/latest/userguide/ebs-encryption.html

Furthermore, you cannot simply encrypt an existing EBS volume. Instead, you need to migrate data from an unencrypted to an encrypted volume.

Third-Party Tools

Third-party offerings, such as TrendMicro, will appeal to organizations that prefer more autonomous management of their data security – without relinquishing control of their encryption keys to their cloud services provider.

Not only that, but most third-party solutions offer a range of value-added management and reporting tools that help customers maintain good data security practice and meet their compliance objectives. For example, several provide a centralized dashboard for management and data transfer across different cloud platforms.

This is something that’s particularly attractive to users with multi-cloud or hybrid cloud deployments. What’s more, in the case of many cloud vendors, encryption comes as part of a wider range of integrated data security services that certain users won’t want to lose. All the same, companies that move to the cloud in the future may not feel that they can justify the cost of third-party encryption services when they can get a simpler solution straight out of the box for free.

Which Option Is Best to Ensure Compliance?

Each case is different. It’s more so dependent on your own specific industry, the extent and complexity of your on-site and cloud operations, and the IT security expertise available within your organization. Finally, it’s important to remember that encryption is just one part of your data security obligations. Secure data management involves a range of best practices. But, above all, that means keeping your cryptographic keys secure – from physically securing hardware, periodically changing keys and storing them separately from the data they decrypt to making regular encrypted backups of both data and keys.

Start Protecting  Your Cloud Deployment Properly

Start your free trial today to ensure implementing a robust, scalable, enterprise-class cloud backup and recovery.

You might also like