28. Encrypted Root Device Volumes & Snapshots

i. A root device volume is basically just the hard disk that has OS on it.
ii. EBS volums that has OS on it w/o encryption when we first provision an EC2 instance.

provision EC2 instance with an unencrypted root device volume >> Snapshot [Create a snapshot of unencrypted root device volume] >> Copy of Snapshot [While copying we can encrypt root device volume] >> provision AMI from copied snapshot [create image] >> Launch EC2 instance as encrypted root device volume.
i. Create a snapshot of unencrypted root device volume.
ii. Create a copy of snapshot & select encrypt option
iii. Create an AMI from encrypted snapshot
iv. Use that AMI to launch new encrypted instances.

i. While creating EC2 instance in Step 4: Add Storage, we find encryption & we can select encryption while creation as well.
ii. Snapshots of encrypted volumes are encrypted automatically
iii. Volumes restored from encrypted snapshots are encrypted automatically
iv. We can share snapshots only if they are unencrypted
v. These snapshots can be shared with other AWS accounts or made public but they have to be unencrypted
vi. We can encrypt root device volumes upon creation of EC2 instances.