I enabled at-rest data encryption on the Amazon Elastic Block Store (Amazon EBS) storage volumes in my Amazon EMR cluster, but the Amazon Elastic Compute Cloud (Amazon EC2) console says that the volumes are not encrypted. How can I confirm that the storage volumes are encrypted?

At-rest encryption works at the operating system level, not the Amazon EBS level. It's not possible to use an API or the EC2 console to confirm if at-rest local disk encryption is enabled on the Amazon EMR cluster. The EC2 console displays the Not Encrypted for all EBS storage volumes with at-rest local disk encryption.

Note: When the EBS root volume is encrypted, the EC2 console displays the Encrypted status, because EBS root volumes do not use at-rest local disk encryption.

Run the following command to verify that the EBS storage volumes are encrypted:

$ sudo dmsetup status

If the output is crypt, your EBS storage volumes are encrypted:

xvdb2: 0 56616927 crypt
xvdb1: 0 10481664 crypt

You can also use the lsblk or blkid commands. These commands provide encryption information and additional details about your disks.

To find out which encryption key is used on the EBS storage volumes, run the following command:

$ aws kms decrypt --ciphertext-blob fileb://<(cat /var/setup-devices/.encrypted-diskKey | base64 --decode) --region us-east-1 
 {
   "Plaintext": "4si+VyYoEXAMPLEdv691cYAv9D6AbADJ12HCjY8+H1w=",
  "KeyId": "arn:aws:kms:us-east-1:123456789012:key/3352813c-5555-5555-b319-aed1d001c3fc"
 }

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-08-14