Kops is the most popular solution to install Kubernetes on AWS in a highly-available way. Debian is the preferred Linux distro for kops, which is somewhat annoying if you see that CoreOS is the preferred container Linux.
Moreover, the Debian AMI for kops is custom build, not only the OS itself, but also the kernel. AMIs are marked public, so you can easily reuse them. As soon as you want to encrypt your images, you will need access to the underlying snapshot that is not public at the moment.
You may instantiate an EC2 instance, encrypt the snapshot or you can use kube-deploy to make yourself your own image the same way that kops does.
Clone the kube-deploy repo, configure your aws credential and run the following steps in the kube-deploy folder:
./hack/setup.sh # comment out the imagebuilder call in this file
# be careful not to overwrite your key at id_rsa!
ssh-keygen -t rsa -b 2048 -f $(pwd)/.ssh/id_rsa -C "${USER}@${HOSTNAME}" -N ""
aws ec2 import-key-pair --key-name "id_rsa" --public-key-material file:///$(pwd)/.ssh/id_rsa.pub
docker run --rm -ti -v "$PWD":/usr/local/go/src/k8s.io/kube-deploy/imagebuilder -w /usr/local/go/src/k8s.io/kube-deploy/imagebuilder -v $HOME/.aws:/root/.aws:ro -v $HOME/.ssh:/root/.ssh:ro golang:1.8 bash
In the container that is starting run:
make export AWS_REGION=$(aws configure get region) imagebuilder --config=aws.yaml --replicate=false
Wait and proceed with AMIs with Encrypted Snapshots
