0

Is it possible to use the custom encryption key for ebs data volumes using packer? kms_key_id will only use for the encryption of the boot volume. how can we encrypt block device mappings? (data EBS volumes)

Daniel Mann
  • 57,011
  • 13
  • 100
  • 120
Buvin Perera
  • 481
  • 1
  • 6
  • 18

1 Answers1

1

Unfortunately that doesn't seem to be supported by AWS. See http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EbsBlockDevice.html and http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html

As a workaround you can prepare a CMK encrypted (empty) snapshot and attach that in your device mapping block in Packer. That should give you a snapshot encrypted with the KMS key you want.

Rickard von Essen
  • 4,110
  • 2
  • 23
  • 27
  • I would love to see an example of that. I am running into an issue where I want to create an AMI with an attached volumes where the volumes are encrypted with different kms keys. I created snapshots of ebs volumes I want to attach and get "InvalidBlockDeviceMapping: snapshotId can only be modified on EBS devices" when I try to use them in launch_block_device_mappings. – Starlton Nov 01 '18 at 07:48