4 Answers
Hi Chris,
Thanks for pointing this out. Yes, I got ahead of myself in the lecture and omitted the encrypted snap step. You are correct. You have to copy a snap to another snap with the encryption setting ticked (and KMS key selected) and then you can use that new encrypted snap to create a new volume. I’ll add that to my edit it.
–Scott
The video is correct. You DO can restore unencrypted snapshot DIRECTLY to encrypted volume, go try yourself.
From the Snapshot -> Create Volume console, "To create an encrypted volume, select the Encrypted box and choose the master key you want to use when encrypting the volume. Volumes that are created from encrypted snapshots are automatically encrypted, and volumes that are created from unencrypted snapshots are automatically unencrypted. if you wish to encrypt volume from unencrypted snapshot then check mark Encryption".
I disagree, you cannot create an encrypted volume from an unencrypted snapshot. I’ve just tested that right now, the volume you create from an unencrypted snapshot is set to unencrypted and you cannot change that.
It seems that you can now. I just tested it again. And i’ve been able to restore an encrypted EBS volume from an unencrypted Snapshot. In the console,the "Encryption" tick box is now enabled. I suspect an update of feature.
Only way to create an encrypted volume from the unencrypted snapshot is
- copy the unencrypted snapshot to same region(Volumes are AZ basis but Snapshots are Region basis) with ticking "Encrypt this snapshot"
- Then create the volume from that copied snapshot
The doco from OP’s URL states it is possible and I can confirm that it does work as I just tried it.
Specifically:
(1) Create unencrypted volume;
(2) Create unencrypted snapshot of unencrypted volume;
(3) Create new volume from unencrypted snapshot, ticking "encrypted" box and selecting the encryption key (CMK);
(4) Encrypted volume is created successfully from unencrypted snapshot.
Vote +1 for this process.
I confirm this is now working indeed. Could that be some update in AWS services?
Does it need to be KMS? Wonder about SSE-S3. I’m wondering about sharing encrypted AMIs within big organization having different accounts and footprint in different regions. KMS would make it impossible, as it is locks to region. Maybe automated pipelines for generating sharing and coping AMI that would be encrypted at destination? At least before AWS agrees to sharing secrets across regions (what probably won’t happen as it would make KMS hardware key management useless)
This was a big headache for us trying to set up DR with Cloud Protection Manager (the region specificity), but fortunately the application handles it now. I think we are using an automated solution to share AMI’s though. I’ll respond again if I have more info.