Encrypt volume on EC2 instance, currently backed by instance store

0
votes

I have an (unencrypted) EC2 instance with an instance store root volume

Now I need to encrypt the storage on this instance

How can I do this?

From the AWS docs, I thought I should:

  1. generate encryption key (via IAM service)
  2. take snapshot of root volume
  3. generate an encrypted volume from the snapshot
  4. stop EC2 instance
  5. detach root EBS volume
  6. attach new encrypted volume at root (/dev/sda1)
  7. start the EC2 instance

If this is correct, my concern is with step (3).

I am not sure if I can generate an encrypted volume from a instance-store snapshot

Any help/advice is appreciated!

2
amazon-web-servicesamazon-ec2
Why are you using an instance store root volume? These days it is recommended to always use EBS for volumes?John Rotenstein

2 Answers

2
votes

Snapshots are an EBS capability - you cannot create a snapshot of an instance store volume.

You cannot stop a EC2 instance that uses an instance store root volume - they can only be terminated.

There is a mechanism to encrypt files on an instance store volume - see this link - but it's a bit of a hack.

What can't you simply use EBS volumes?

1
votes

You cannot directly make an unencrypted volume encrypted. AWS does let you encrypt while creating a snapshot and copy + encrypt the volume. AWS recommends doing this only on a complete volume, not individual folders.

For the snapshot option: create a snapshot of the existing volume, copy the snapshot while applying encryption, restore the snapshot to a new encrypted volume. This then becomes your production volume. Delete old volume.

For the copy option: create a new encrypted destination volume, attach the original volume, copy data from the existing volume. New volume is now your production volume. Delete old volume.

The Amazon documentation has details here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html.