How to Encrypt your Data at Rest using Docker and AWS Elastic Beanstalk

When developing a healthcare application, one of the regulations that will come into play will be HIPAA. One of the requirements of this regulation related to data at rest is that it needs to be encrypted.

In this post, we will go through how to encrypt our data at rest when running an application on an AWS Elastic Beanstalk environment using Docker.

Problem

Our dockerized application is being deployed to an Elastic Beasntalk environment where the EBS volumes attached to the EC2 machines, where the containers are running, are not being encrypted

Solution

There are a couple of tutorials out there on how to enable encryption on a new EBS volume attached to an EC2 like:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html

https://cloudacademy.com/blog/how-to-encrypt-an-ebs-volume-the-new-amazon-ebs-encryption/

The issue we faced while trying these approaches is that as we were using Docker, when you encrypt the EBS attached to the EC2 machine, just the root volume is being encrypted (/dev/xvda), while the new volume being generated by Docker when the container is deployed (/dev/xvdcz) was left unencrypted.

To fix the problem, we need to follow the next steps:

1. Login to AWS Management console and go to EC2 section
2. EC2 Dashboard → Settings
3. Select Always encrypt new EBS volumes and save changes

4. Go to Elastic Beanstalk section and choose the application/environment you want to encrypt
5. Click on Actions → Rebuild Environment

This will terminate the current EC2 machine that is running your dockerized application and its related volumes. It will create a new EC2 machine where all the volumes created/attached to it are encrypted.

6. Go back to EC2 → EC2 dashboard → Settings
7. Disable the encryption enabled on step 3