Sep 19, 2018

Encrypting Root EBS Volumes for AWS Deployments

In order to encrypt your root volume, you will have to follow one of the following methods:


Method 1:

Step 1: Create an Ami from an existing instance:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html#how-to-create-ebs-ami

Step 2: Once the Ami has been created , create a copy of the AMI with encryption enabled for target EBS snapshot:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html#ami-copy-encryption

Step 3: Create an instance with the newly created Ami with encryption:
https://aws.amazon.com/premiumsupport/knowledge-center/launch-instance-custom-ami/
You will see the root volume showing as encrypted.


Method 2:

Step 1: stop instance (select instance > actions > instance state> stop

Step 2: Create a snapshot of your existing root volume:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-snapshot.html
or go to the volume page > choose the root volume>actions > create snapshot

Step 3: Once the snapshot has been created copy the snapshot (snapshot> actions> copy) and enable encryption in the process (check encrypt this snapshot)

Step 4: Once new copy of snapshot of root volume has been created with encryption create a new volume from the new snapshot (which will in turn be encrypted)
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-restoring-volume.html

Step 5: Detach old Root volume

Step 6: Attach new encrypted root volume created from the encrypted snapshot copy

Step 7: start the instance back