6

In my scenario, I have some old EBS volumes that are not encrypted. To satisfy new corporate security measures, all data needs to be encrypted so I need to compile a plan to encrypt the unencrypted in the least disruptive way (Ideally with no downtime)?

Can anyone suggest What is the best way to accomplish this?

samtech 2021
  • 81
  • 7

1 Answers1

6

Here are the steps to encrypt EBS volume:

  • Create IAM KMS encryption key
  • Create snapshot of the root volume
  • Copy a snapshot which enables the encrypting option
  • Create a new Encrypted volume from an encrypted snapshot
  • Detach the existing volume and replace it with the Encrypted volume

For more information you can read this article.

Romeo Ninov
  • 5,263
  • 4
  • 20
  • 26
  • just to understand, Click on the unencrypted snapshot, pull down to copy, and click the encrypt button to encrypt the copy. stop the instance & Detach the existing volume and replace it with the Encrypted volume right? – samtech 2021 Apr 04 '22 at 06:34
  • @samtech2021, yes, from snapshot you can create encrypted volume. – Romeo Ninov Apr 04 '22 at 06:47
  • 1
    Just to be pedantic, is there any procedure to perform it with no downtime (Unencrypt EBS volumes to be Encrypted)? What is the advice for more than 100 of EBS volumes to perform the task? – samtech 2021 Apr 04 '22 at 06:55
  • 1
    @samtech2021, AFAIK no. I do this research some time ago (was on similar situation). But if your machines are behind a loadbalancer you can create new EC2 with encrypted disk, start it, attache to LB, then deattach old one. – Romeo Ninov Apr 04 '22 at 07:02
  • Just wanted to know, Is there any guides/documentation available for the ALB attached instances volumes? – samtech 2021 Apr 04 '22 at 09:38
  • IMHO ALB are services, managed by Amazon and you do not have access to volumes there – Romeo Ninov Apr 04 '22 at 10:03
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/135291/discussion-between-samtech-2021-and-romeo-ninov). – samtech 2021 Apr 04 '22 at 10:50
  • 1
    There does not appear to be a way to do this without downtime. For more than 100 EBS volumes, you could script the process because every step can be performed using the APIs. – Tim P Apr 04 '22 at 14:46