Encrypt EBS volumes from AWS EC2 instances
A serverless version of this script exists here: https://github.com/jbrt/ec2cryptomatic-serverless
This tool let you :
- Encrypt all the EBS volumes for an instance
- If volumes already encrypted, re-encrypt these with the given key
- Duplicate all the source tags to the target
- Apply DeleteOnTermination flag if needs
- Preserve the original volume or not as an option (thank to @cobaltjacket)
- Start each instance after encrypting is complete (thank to @dshah22)
For your information, the workflow used to encrypt an EBS volume is:
- Take a snapshot from the original volume
- Create a new volume encrypted from that snapshot
- Swap volumes
- Delete source unencrypted volumes (if requested)
Since version 1, EC2Cryptomatic was coded in Python. This version 2 is a complete rewriting of this tool in Golang.
Why Golang instead of Python ? Principally because of fun and for training for the author on that language.
Golang is also a good option for a CLI tool like this (more portable than Python).
Python version is still available at git tag 1.2.4.
EC2Cryptomatic needs the following IAM rights:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EC2CryptomaticPolicy",
"Action": [
"ec2:AttachVolume",
"ec2:CopyImage",
"ec2:CopySnapshot",
"ec2:CreateSnapshot",
"ec2:CreateVolume",
"ec2:CreateTags",
"ec2:DeleteSnapshot",
"ec2:DeleteVolume",
"ec2:DescribeInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeVolumes",
"ec2:DetachVolume",
"ec2:ModifyInstanceAttribute",
"ec2:StartInstances",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Here is the syntax of ec2cryptomatic. You have to specify a AWS region name and one EC2 instance ID.
Encrypt all EBS volumes for the given instances
Usage:
ec2cryptomatic run [flags]
Flags:
-d, --discard Discard source volumes after encryption process (default: false)
-h, --help help for run
-i, --instance string Instance ID of instance of encrypt (required)
-k, --kmskey string KMS key alias name (default "alias/aws/ebs")
-r, --region string AWS region (required)
You can build a Docker image of that tool with the Dockerfile provided in this repository :
docker build -t ec2cryptomatic:latest .
Or you can use the image already pulled into the official Docker Hub:
docker pull jbrt/ec2cryptomatic
If you do not want to use Docker, you can use a binary version (accessible from the release section). Versions currently supported:
- Linux (x86_64, ARM)
- FreeBSD (x86_64, ARM)
- MacOS/Darwin (x86_64 only)
- Windows (x86_64 only)
This project is under GPL3 license