AWS — How to encrypt an existing unencrypted EBS volume
An existing unencrypted volume and the data it contains may not be encrypted. Let us see 2 options to encrypt it.
Option 1: EBS Snapshot
- Create Snapshot of your unencrypted volume
- When the snapshot is complete, create a “Copy” of your snapshot and remember to enable ‘Encryption’.
- Select the CMK for KMS to use as required
- Create a new volume from the newly created snapshot
- As the snapshot is encrypted, the volume created from this snapshot will also be encrypted
Bonus: EBS fast snapshot restore
A volume restored from snapshot has to be initialised first. You can read more about EBS initialisation here.
So enable EBS fast snapshot restore option for the snapshot from which you create the new volume, to avoid the initialisation steps.
Option 2: rsync (Linux)
This option works only in Linux and “rsync” utility is a pre-requisite.
- Create a new empty encrypted EBS volume with KMS key of your choice.
- Attach the new EBS to the same ec2 or another Linux ec2.
- Run rsync from old unencrypted volume to the new encrypted volume.
#from different ec2 (both ec2 must have “rsync”)
nohup rsync -avz user1@oldhost:/var/lib/unencryptyed_volume /var/lib/encrypted_volume &
#from same ec2 (with option “ — inplace” and without “-z” i.e no compression as it uses more cpu and usually needed only on slow network)
nohup rsync -av — inplace /var/lib/unencryptyed_volume /var/lib/encrypted_volume &
Please note that we run it with “nohup” in prefix and “&” in suffix, so that the command runs even if the ssh session gets disconnected and in the background respectively.
- This can be done when the unencrypted volume is being updated too. Just trigger rsync again once the previous iteration of rsync is completed. The rsync utility takes incremental backup, so only new data is copied.
- Stop the updates to the unencrypted volume and run rsync for one last time.
- Replace old volume with the new encrypted volume.
- You can choose to delete your old unencrypted volume.
Cheers, VN.
