26

I have a number of older EBS volumes that are not encrypted. In satisfying new corporate security measures, all data needs to be "encrypted at rest" so I need to convert all of the volumes to be encrypted.

What is the best way to accomplish this?

Gray
  • 569
  • 1
  • 5
  • 17

2 Answers2

46

It's possible to copy an unencrypted EBS snapshot to an encrypted EBS snapshot. So the following process can be used:

  1. Stop your EC2 instance.
  2. Create an EBS snapshot of the volume you want to encrypt.
  3. Copy the EBS snapshot, encrypting the copy in the process.
  4. Create a new EBS volume from your new encrypted EBS snapshot. The new EBS volume will be encrypted.
  5. Detach the original EBS volume and attach your new encrypted EBS volume, making sure to match the device name (/dev/xvda1, etc.)
Matt Houser
  • 9,709
  • 1
  • 26
  • 25
1

[[ This is not the right answer and not how we do things now but I'll leave this here in case anyone else finds some utility to doing it the "hard way". ]]

The following process worked well for us to convert our existing EBS volumes to be encrypted volumes.

  • Create a volume of the same exact size and in the same availability zone as the unencrypted volume but with encryption enabled. If the old volume is named "XYZ", name the new volume as "New XYZ" so you don't lose track of it. We are using the default AWS encryption keys but there are other options in the EBS docs.
  • Boot a temporary linux instance as the converter machine into the same availability zone as the volume. Really any sized instance will do although EBS optimized instances may complete the migration faster.
  • Shutdown the instance with the current unencrypted volume.
  • Detach the unencrypted volume from the instance.
  • Attach the unencrypted volume to the converter instance. Watch the device that the attach dialog says it is mounting as. The first additional volume should be something like /dev/sdf.
  • Attach the new encrypted volume that you just created also to the converter instance. The second additional volume will probably be /dev/sdg.
  • Log into the converter instance as root or as a user with sudo access.
  • If you look at the /proc/diststats file, at the bottom you should see something like xvdf and xvdg which correspond to the attached additional partitions. The names may be different depending on the Linux Kernel variant/version you are using. If there is any question, you can check the /proc/diststats file before you attach to see what partitions are added.

    ...
    # root partition
    202       1 xvda1 187267 4293 12100842 481972 52550 26972 894168 156944 0 150548 ...
    # swap partion
    202      16 xvdb 342 10 2810 8 5 1 48 12 0 20 20
    # first attached drive, corresponds to /dev/xvdf
    202      80 xvdf 86 0 688 28 0 0 0 0 0 28 28
    # second attached drive, corresponds to /dev/xvdg
    202      96 xvdg 86 0 688 32 0 0 0 0 0 32 32
    
  • Run the following dd command to copy from the source unencrypted volume to the destination encrypted volume. WARNING: This command can be extremely destructive. Take your time. Check twice, cut once. Have someone look over your shoulder. These will help you from trashing your data. Let's be careful out there!

    # using a block-size of 16k (a guess), copy from input-file (if) to output-file (of)
    dd bs=16k if=/dev/xvdf of=/dev/xvdg
    
  • Wait for the dd command to finish and return to the command prompt. On our instances, a 16gb disk took ~5 minutes so you can do the math with larger. Your mileage may vary.
  • Detach both the unencrypted and new encrypted volumes from the converter instance.
  • Attach the new encrypted volume to the instance that was using the unencrypted volume before and boot it.
  • When it comes up do what you need to do to validate that the system looks good.
  • Rename the volume from "XYZ" to be "Old XYZ". Rename "New XYZ" to be "XYZ". Leave around the "Old XYZ" volume in case you need to revert if there were problems.
Gray
  • 569
  • 1
  • 5
  • 17