Score:5

Server

AWS Root volume Encryption

samtech 2021

8/3/23, 6:58 AM

In my scenario, I have some old EBS volumes that are not encrypted. To satisfy new corporate security measures, all data needs to be encrypted so I need to compile a plan to encrypt the unencrypted in the least disruptive way (Ideally with no downtime)?

Can anyone suggest What is the best way to accomplish this?

215

0 + 0

encryption

amazon-ec2

amazon-ebs

amazon-web-services

aws-cli

Score:5

Server

Romeo Ninov

8/3/23, 9:22 AM

Here are the steps to encrypt EBS volume:

Create IAM KMS encryption key
Create snapshot of the root volume
Copy a snapshot which enables the encrypting option
Create a new Encrypted volume from an encrypted snapshot
Detach the existing volume and replace it with the Encrypted volume

For more information you can read this article.

0 + 0

samtech 2021

8/4/23, 6:34 AM

just to understand, Click on the unencrypted snapshot, pull down to copy, and click the encrypt button to encrypt the copy. stop the instance & Detach the existing volume and replace it with the Encrypted volume right?

Romeo Ninov

8/4/23, 6:47 AM

@samtech2021, yes, from snapshot you can create encrypted volume.

samtech 2021

8/4/23, 6:55 AM

Just to be pedantic, is there any procedure to perform it with no downtime (Unencrypt EBS volumes to be Encrypted)? What is the advice for more than 100 of EBS volumes to perform the task?

Romeo Ninov

8/4/23, 7:02 AM

@samtech2021, AFAIK no. I do this research some time ago (was on similar situation). But if your machines are behind a loadbalancer you can create new EC2 with encrypted disk, start it, attache to LB, then deattach old one.

samtech 2021

8/4/23, 9:38 AM

Just wanted to know, Is there any guides/documentation available for the ALB attached instances volumes?

Romeo Ninov

8/4/23, 10:03 AM

IMHO ALB are services, managed by Amazon and you do not have access to volumes there

samtech 2021

8/4/23, 10:50 AM

Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/135291/discussion-between-samtech-2021-and-romeo-ninov).

Tim P

8/4/23, 2:46 PM

There does not appear to be a way to do this without downtime. For more than 100 EBS volumes, you could script the process because every step can be performed using the APIs.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: AWS Root volume Encryption

TH: การเข้ารหัส AWS Root Volume

RO: Criptare volum AWS Root

RU: Шифрование корневого тома AWS

VI: Mã hóa khối lượng gốc AWS

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.