I have a number of older EBS volumes that are not encrypted. In satisfying new corporate security measures, all data needs to be "encrypted at rest" so I need to convert all of the volumes to be encrypted.
What is the best way to accomplish this?
I have a number of older EBS volumes that are not encrypted. In satisfying new corporate security measures, all data needs to be "encrypted at rest" so I need to convert all of the volumes to be encrypted.
What is the best way to accomplish this?
It's possible to copy an unencrypted EBS snapshot to an encrypted EBS snapshot. So the following process can be used:
[[ This is not the right answer and not how we do things now but I'll leave this here in case anyone else finds some utility to doing it the "hard way". ]]
The following process worked well for us to convert our existing EBS volumes to be encrypted volumes.
/dev/sdf
./dev/sdg
.If you look at the /proc/diststats
file, at the bottom you should see something like xvdf
and xvdg
which correspond to the attached additional partitions. The names may be different depending on the Linux Kernel variant/version you are using. If there is any question, you can check the /proc/diststats
file before you attach to see what partitions are added.
...
# root partition
202 1 xvda1 187267 4293 12100842 481972 52550 26972 894168 156944 0 150548 ...
# swap partion
202 16 xvdb 342 10 2810 8 5 1 48 12 0 20 20
# first attached drive, corresponds to /dev/xvdf
202 80 xvdf 86 0 688 28 0 0 0 0 0 28 28
# second attached drive, corresponds to /dev/xvdg
202 96 xvdg 86 0 688 32 0 0 0 0 0 32 32
Run the following dd
command to copy from the source unencrypted volume to the destination encrypted volume. WARNING: This command can be extremely destructive. Take your time. Check twice, cut once. Have someone look over your shoulder. These will help you from trashing your data. Let's be careful out there!
# using a block-size of 16k (a guess), copy from input-file (if) to output-file (of)
dd bs=16k if=/dev/xvdf of=/dev/xvdg