1
00:00:00,090 --> 00:00:01,490
All right, finally, let's talk about

2
00:00:01,490 --> 00:00:02,420
the last operation,

3
00:00:02,420 --> 00:00:05,160
which is how do you encrypt an EBS volume?

4
00:00:05,160 --> 00:00:08,039
So, when you created and encrypted EBS volume,

5
00:00:08,039 --> 00:00:09,910
right away you get the following, you get data

6
00:00:09,910 --> 00:00:12,048
at rest being encrypted inside your volume,

7
00:00:12,048 --> 00:00:14,316
all the data in flight between the instance

8
00:00:14,316 --> 00:00:16,170
and the volume is encrypted,

9
00:00:16,170 --> 00:00:18,900
all the snapshots will be encrypted, and all the volumes

10
00:00:18,900 --> 00:00:20,520
created from the snapshots are encrypted.

11
00:00:20,520 --> 00:00:22,930
So, there's encryption all around the place,

12
00:00:22,930 --> 00:00:26,270
and the all encryption and decryption mechanism

13
00:00:26,270 --> 00:00:28,040
is handled transparently for you.

14
00:00:28,040 --> 00:00:29,350
So, you have nothing to do.

15
00:00:29,350 --> 00:00:32,780
It's all handled by EC2 and EBS behind the scenes.

16
00:00:32,780 --> 00:00:35,530
So, encryption overall, something you should use

17
00:00:35,530 --> 00:00:38,600
because it has a very, very minimal impact on latency,

18
00:00:38,600 --> 00:00:41,980
almost nothing, and it leverages keys from KMS,

19
00:00:41,980 --> 00:00:46,430
so AES-256, that's something that you should know.

20
00:00:46,430 --> 00:00:50,530
And so, when you copy an unencrypted snapshot,

21
00:00:50,530 --> 00:00:52,770
then you enable encryption.

22
00:00:52,770 --> 00:00:55,390
So, let's talk about a very important thing,

23
00:00:55,390 --> 00:00:58,920
which is how do you encrypt an unencrypted EBS volumes.

24
00:00:58,920 --> 00:01:01,390
So, to encrypt an unencrypted EBS volumes,

25
00:01:01,390 --> 00:01:03,930
which is a very tough thing to say,

26
00:01:03,930 --> 00:01:06,510
you create an EBS snapshot of the volume.

27
00:01:06,510 --> 00:01:09,910
Then you encrypt the EBS snapshot using the copy function.

28
00:01:09,910 --> 00:01:12,347
Then we create a new EBS volume from the snapshots

29
00:01:12,347 --> 00:01:14,490
and that volume will also be encrypted,

30
00:01:14,490 --> 00:01:16,330
and now we can attach the encrypted volume

31
00:01:16,330 --> 00:01:17,810
to the original instance.

32
00:01:17,810 --> 00:01:20,150
So, let's go have a look at how we do this in the console.

33
00:01:20,150 --> 00:01:22,170
Okay, so let's explore the different options

34
00:01:22,170 --> 00:01:24,460
with EBS volumes and encryption.

35
00:01:24,460 --> 00:01:27,050
So, let's create a one gigabytes EBS volume,

36
00:01:27,050 --> 00:01:29,040
and this one will not be encrypted.

37
00:01:29,040 --> 00:01:31,450
So, I will leave this setting unchecked,

38
00:01:31,450 --> 00:01:33,490
and, therefore, when I create my volume

39
00:01:33,490 --> 00:01:36,010
and have a look at it, if we look at the state

40
00:01:36,010 --> 00:01:38,940
of encryption, it says not encrypted.

41
00:01:38,940 --> 00:01:42,730
Okay, so what's happening is that if we do take to create

42
00:01:42,730 --> 00:01:45,720
a snapshot from this volume, as we can see

43
00:01:45,720 --> 00:01:48,120
the encryption setting will be set to not encrypted.

44
00:01:48,120 --> 00:01:51,520
So, any snapshots encrypted from a non-encrypted EBS volume,

45
00:01:51,520 --> 00:01:53,772
will be not encrypted.

46
00:01:53,772 --> 00:01:55,970
So, let's go ahead and create this snapshots,

47
00:01:55,970 --> 00:01:58,300
and let's go ahead to the snapshots page.

48
00:01:58,300 --> 00:02:02,360
And so, this snapshot, as we observe is not encrypted.

49
00:02:02,360 --> 00:02:05,270
And so, to create an encrypted snapshot,

50
00:02:05,270 --> 00:02:07,250
now, what you have to do is to do action

51
00:02:07,250 --> 00:02:11,720
and then create copy snapshot, excuse me,

52
00:02:11,720 --> 00:02:12,818
and when you copy the snapshots,

53
00:02:12,818 --> 00:02:15,426
you have the option right here to enable encryption

54
00:02:15,426 --> 00:02:17,680
into the same destination region.

55
00:02:17,680 --> 00:02:21,220
So, now, this snapshot is going to be encrypted

56
00:02:21,220 --> 00:02:24,110
and you can select the KMS key, right here.

57
00:02:24,110 --> 00:02:27,500
So, we'll copy this snapshots and we're good.

58
00:02:27,500 --> 00:02:30,744
Next, what I have to do is from this encrypted snapshots

59
00:02:30,744 --> 00:02:34,620
that is now completed I can create a volume.

60
00:02:34,620 --> 00:02:37,520
And if I do action, create volume from snapshots,

61
00:02:37,520 --> 00:02:40,710
as we can see, we can create a one gigabyte EBS volume.

62
00:02:40,710 --> 00:02:43,940
And here encryption is enabled for this volume

63
00:02:43,940 --> 00:02:47,370
because my underlying snapshot is encrypted.

64
00:02:47,370 --> 00:02:51,390
And, therefore, if I click on create volume,

65
00:02:51,390 --> 00:02:54,700
and have a look at my volumes on the left hand side,

66
00:02:54,700 --> 00:02:57,180
this one who was created from a snapshots

67
00:02:57,180 --> 00:03:00,520
is now available and it says encryption, encrypted.

68
00:03:00,520 --> 00:03:01,410
So, that's good.

69
00:03:01,410 --> 00:03:04,770
We saw how we can encrypt one EBS volume this way,

70
00:03:04,770 --> 00:03:07,390
by going through a snapshot copying and so on.

71
00:03:07,390 --> 00:03:08,223
There's a shortcut.

72
00:03:08,223 --> 00:03:10,410
So, if you take your unencrypted snapshot,

73
00:03:10,410 --> 00:03:12,750
so this one is not encrypted,

74
00:03:12,750 --> 00:03:15,504
so if you take this snapshot and then you do action,

75
00:03:15,504 --> 00:03:18,456
create volumes from snapshot, zero shortcuts,

76
00:03:18,456 --> 00:03:20,803
you can actually on the fly enable encryption

77
00:03:20,803 --> 00:03:24,670
for the EBS volume directly from here, select an EBS key,

78
00:03:24,670 --> 00:03:28,200
and you would create an encrypted EBS volume this way

79
00:03:28,200 --> 00:03:30,660
through a unencrypted snapshots.

80
00:03:30,660 --> 00:03:32,997
Okay, so let's say you've seen all the options.

81
00:03:32,997 --> 00:03:36,260
Just to be finished make sure to delete your snapshots

82
00:03:36,260 --> 00:03:38,830
by typing deletes and then you would do

83
00:03:38,830 --> 00:03:40,540
the exact same thing on your volumes.

84
00:03:40,540 --> 00:03:42,900
Just delete these EBS volumes.

85
00:03:42,900 --> 00:03:44,290
Okay, that's it.

86
00:03:44,290 --> 00:03:47,290
I hope you liked it, and I will see you in the next lecture.