Encrypting existing EBS volume live

0
votes

As far as I understood from AWS official documents (about EBS encryption) and other sources in the internet

These are the steps that we can encrypt an unencrypted EBS volume:

  1. Create a snapshot with encryption

  2. Create a volume from the encrypted volume

  3. Detach the old unencrypted volume

  4. Attach the newly created volume

  5. Terminal old volume

Step 1 to 4 takes some time and if there is new data added to our unencrypted volume it causes data loss (data that were inserted since we created new snapshot)

Consider this case that we have data writing to our EBS volume every second and we want to encrypt the data from now on.

How can we have 100% uptime & availability while encrypting?

1
amazon-web-servicesencryptiondevopsaws-ebs
I have a side question. If the data is so important, how do you ensure its fault-tolerance, in case the instance gets terminated or worse, the AZ will go down and you loose the volume? Snapshot only allow for point-in-time backups, not continuous one when data is written every second.Marcin
How about configuring RAID 1 for fault-tolerance and availability? Is it possible to switch to encrypted EBS volume with RAID 1 help?Mohammad Moallemi
EBS volumes have AZ scope only. So you won't have fault-tolerance in case the AZ goes down nor high-availability of the data. RAID 1 will not help with that because second volume will be in the same AZ. But returning to your question, I don't know how you to enable encryption with 100% uptime. You could maybe minimize downtime by using a temporary volume, while the primary is being encrypted.Marcin
What I truly want to achieve is keeping the data that is newly written to the old volume while the new one is being encrypted, is there any way to resync the new one with the ole one's changes?Mohammad Moallemi
This would have to be done from your side, with tools such as rsync. I'm not aware of any AWS provided service/tool which could "merge" data on two EBS volumes.Marcin

1 Answers

0
votes

It all depends on what you store in your EBS, I recommend that you create a catalog of objects written in your EBS, this catalog is saved in the same EBS and in an external database (dynamo), when you generate the copy of the EBS to generate one Encrypted, this copy will have a catalog of objects written in it until the moment the copy is generated, then when mounting it, it consults the external catalog and with a script synchronizes it using the objects of the old EBS. Once the two are in sync, you can make the switch.