1 00:00:00,000 --> 00:00:00,980 All right finally let's 2 00:00:00,980 --> 00:00:02,410 talk about the last operation, 3 00:00:02,410 --> 00:00:05,160 which is how do you encrypt an EBS volume? 4 00:00:05,160 --> 00:00:08,050 So when you created an encrypted EBS volume, 5 00:00:08,050 --> 00:00:09,140 right away you get the following. 6 00:00:09,140 --> 00:00:12,480 You get data at rest being encrypted inside your volume. 7 00:00:12,480 --> 00:00:14,650 All the data in flight between the instance 8 00:00:14,650 --> 00:00:16,180 and the volume is encrypted. 9 00:00:16,180 --> 00:00:18,060 All the snapshots will be encrypted. 10 00:00:18,060 --> 00:00:19,940 And all the volumes created from the snapshots 11 00:00:19,940 --> 00:00:22,930 are encrypted so there is encryption all around the place. 12 00:00:22,930 --> 00:00:26,580 And the old encryption and decryption mechanism 13 00:00:26,580 --> 00:00:28,030 is handled transparently for you, 14 00:00:28,030 --> 00:00:29,350 so you have nothing to do. 15 00:00:29,350 --> 00:00:32,770 It's all handled by EC2 and EBS behind the scenes. 16 00:00:32,770 --> 00:00:35,530 So encryption overall is something you should use, 17 00:00:35,530 --> 00:00:38,620 because it has a very, very minimal impact on latency, 18 00:00:38,620 --> 00:00:39,790 almost nothing. 19 00:00:39,790 --> 00:00:44,410 And it leverages keys from KMS, so AES-256. 20 00:00:44,410 --> 00:00:46,450 That's something that you should know. 21 00:00:46,450 --> 00:00:50,520 And so when you copy an unencrypted snapshot, 22 00:00:50,520 --> 00:00:52,760 then you enable encryption. 23 00:00:52,760 --> 00:00:55,390 So let's talk about a very important thing 24 00:00:55,390 --> 00:00:58,910 which is how do you encrypt an unencrypted EBS volumes? 25 00:00:58,910 --> 00:01:01,390 So to encrypt an unencrypted EBS volumes, 26 00:01:01,390 --> 00:01:03,930 which is a very tough thing to say (chuckles), 27 00:01:03,930 --> 00:01:06,500 you create and EBS snapshot of the volume. 28 00:01:06,500 --> 00:01:09,900 Then you encrypt the EBS snapshot, using the copy function. 29 00:01:09,900 --> 00:01:12,450 Then we create a new EBS volume from the snapshots 30 00:01:12,450 --> 00:01:14,490 and that volume will also be encrypted. 31 00:01:14,490 --> 00:01:16,320 And now we can attach the encrypted volume 32 00:01:16,320 --> 00:01:17,800 to the original instance. 33 00:01:17,800 --> 00:01:20,090 So let's go have a look at how we do this in the console. 34 00:01:20,090 --> 00:01:23,030 Okay, so if we look at our volumes, this one, 35 00:01:23,030 --> 00:01:24,930 that was the one we created from before. 36 00:01:24,930 --> 00:01:27,430 The encrypted flag says not encrypted, 37 00:01:27,430 --> 00:01:29,030 so this volume is not encrypted. 38 00:01:29,030 --> 00:01:31,000 And maybe we wanted to encrypt it. 39 00:01:31,000 --> 00:01:33,070 So we right click, we create a snapshot, 40 00:01:33,070 --> 00:01:35,190 but we already done that, so we go to the snapshot 41 00:01:35,190 --> 00:01:36,870 and here is our snapshot. 42 00:01:36,870 --> 00:01:39,060 As we can see our snapshot, encrypted 43 00:01:39,060 --> 00:01:40,640 is not encrypted. 44 00:01:40,640 --> 00:01:44,060 So because we did a snapshot of a 45 00:01:44,060 --> 00:01:48,630 non-encrypted EBS volume, we get a non-encrypted snapshot. 46 00:01:48,630 --> 00:01:49,700 Now right click. 47 00:01:49,700 --> 00:01:52,130 If I wanted to create a volume from it as you can see, 48 00:01:52,130 --> 00:01:54,500 the volume will also be not encrypted, 49 00:01:54,500 --> 00:01:55,760 so it's not what we want. 50 00:01:55,760 --> 00:01:57,290 So as I said in the lecture, 51 00:01:57,290 --> 00:02:00,180 what I need to do is right click and copy. 52 00:02:00,180 --> 00:02:02,080 By copying this snapshot, 53 00:02:02,080 --> 00:02:05,050 I can click here and encrypt this snapshot. 54 00:02:05,050 --> 00:02:07,180 So I can put any region that I want, 55 00:02:07,180 --> 00:02:09,960 but I can stay within this same region, which I will do. 56 00:02:09,960 --> 00:02:11,930 And I will say okay, encrypt this snapshot 57 00:02:11,930 --> 00:02:15,150 using the default AWS EBS master key. 58 00:02:15,150 --> 00:02:16,810 Copy, and here we go. 59 00:02:16,810 --> 00:02:19,270 Now the snapshot is being copied, 60 00:02:19,270 --> 00:02:21,970 and if I refresh, now we can see that 61 00:02:21,970 --> 00:02:24,810 we have a copied snapshot right away from here. 62 00:02:24,810 --> 00:02:26,960 So the snapshot is being created. 63 00:02:26,960 --> 00:02:29,050 Now the snapshot, if we look at the bottom right, 64 00:02:29,050 --> 00:02:31,760 it says encrypted, encrypted, and then we get 65 00:02:31,760 --> 00:02:35,370 some KMS information around how it's been encrypted. 66 00:02:35,370 --> 00:02:36,680 Which is quite neat. 67 00:02:36,680 --> 00:02:39,880 So then you just wait for the encrypted copy to happen. 68 00:02:39,880 --> 00:02:41,340 And so now it's completed. 69 00:02:41,340 --> 00:02:43,970 I right click and create a volume from it. 70 00:02:43,970 --> 00:02:44,803 And here we go. 71 00:02:44,803 --> 00:02:47,340 Now the encryption is encrypted. 72 00:02:47,340 --> 00:02:49,520 And so if you were to create a volume of five gigabytes 73 00:02:49,520 --> 00:02:53,530 and maybe eu-west-1b, just to keep the same AZ. 74 00:02:53,530 --> 00:02:57,340 And click on create volume, and go to that volume now. 75 00:02:57,340 --> 00:02:59,800 In the volume EBS thing, so I'll just wait 76 00:02:59,800 --> 00:03:01,220 just a little bit, here we go. 77 00:03:01,220 --> 00:03:02,390 Here it is. 78 00:03:02,390 --> 00:03:06,080 Now we can see that this new volume in eu-west-1b, 79 00:03:06,080 --> 00:03:08,740 is available and it is encrypted, 80 00:03:08,740 --> 00:03:10,730 right away, for us, right off the bat. 81 00:03:10,730 --> 00:03:13,090 So this is pretty cool, this is how you would go 82 00:03:13,090 --> 00:03:14,750 and encrypt an EBS volume. (chuckles) 83 00:03:14,750 --> 00:03:16,880 I know it's very manual, so you could 84 00:03:16,880 --> 00:03:18,150 automate this if you wanted to, 85 00:03:18,150 --> 00:03:20,690 but super important for you to see it once. 86 00:03:20,690 --> 00:03:21,680 Okay I hope you enjoyed it. 87 00:03:21,680 --> 00:03:23,430 I will see you in the next lecture.