Encrypt EBS volumes from AWS EC2 instances
Encrypt EBS volumes from AWS EC2 instances
A serverless version of this script exists here: https://github.com/jbrt/ec2cryptomatic-serverless
This tool let you :
For your information, the workflow used to encrypt an EBS volume is:
Since version 1, EC2Cryptomatic was coded in Python. This version 2 is a complete rewriting of this tool in Golang.
Why Golang instead of Python ? Principally because of fun and for training for the author on that language.
Golang is also a good option for a CLI tool like this (more portable than Python).
Python version is still available at git tag 1.2.4.
EC2Cryptomatic needs the following IAM rights:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EC2CryptomaticPolicy",
"Action": [
"ec2:AttachVolume",
"ec2:CopyImage",
"ec2:CopySnapshot",
"ec2:CreateSnapshot",
"ec2:CreateVolume",
"ec2:CreateTags",
"ec2:DeleteSnapshot",
"ec2:DeleteVolume",
"ec2:DescribeInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeVolumes",
"ec2:DetachVolume",
"ec2:ModifyInstanceAttribute",
"ec2:StartInstances",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Here is the syntax of ec2cryptomatic. You have to specify a AWS region name and one EC2 instance ID.
Encrypt all EBS volumes for the given instances
Usage:
ec2cryptomatic run [flags]
Flags:
-d, --discard Discard source volumes after encryption process (default: false)
-h, --help help for run
-i, --instance string Instance ID of instance of encrypt (required)
-k, --kmskey string KMS key alias name (default "alias/aws/ebs")
-r, --region string AWS region (required)
You can build a Docker image of that tool with the Dockerfile provided in this repository :
docker build -t ec2cryptomatic:latest .
Or you can use the image already pulled into the official Docker Hub:
docker pull jbrt/ec2cryptomatic
If you do not want to use Docker, you can use a binary version (accessible from the release section). Versions currently supported:
This project is under GPL3 license