AWS Certified Solutions Architect - Professional 2020

Sign Up Free or Log In to participate!

Using snapshots to encrypt EBS

Hello,

I’m following the course, and in the Chapter "EBS", it’s said that EBS snapshots can be used  to encrypt a volume

  • by taking a snapshot,

 – create an encrypted volume from the snapshot by ticking box "encrypted".

I don’t think this is correct (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html)

From the console, create a volume from an unencrypted snapshot forces "Encryption" to non-encrypted.

In my understanding, the right process for using snapshot in this context is 

– Take the snapshot

  • copy the snapshot to an encrypted snapshot

  • create the new volume from the encrypted copy of the snapshot.

Regards,

Chris

4 Answers

Hi Chris,

Thanks for pointing this out.  Yes, I got ahead of myself in the lecture and omitted the encrypted snap step.   You are correct.  You have to copy a snap to another snap with the encryption setting ticked (and KMS key selected) and then you can use that new encrypted snap to create a new volume.   I’ll add that to my edit it.

–Scott

Artur Pioro

Does it need to be KMS? Wonder about SSE-S3. I’m wondering about sharing encrypted AMIs within big organization having different accounts and footprint in different regions. KMS would make it impossible, as it is locks to region. Maybe automated pipelines for generating sharing and coping AMI that would be encrypted at destination? At least before AWS agrees to sharing secrets across regions (what probably won’t happen as it would make KMS hardware key management useless)

Michael Davis

This was a big headache for us trying to set up DR with Cloud Protection Manager (the region specificity), but fortunately the application handles it now. I think we are using an automated solution to share AMI’s though. I’ll respond again if I have more info.

The video is correct. You DO can restore unencrypted snapshot DIRECTLY to encrypted volume, go try yourself.
From the Snapshot -> Create Volume console, "To create an encrypted volume, select the Encrypted box and choose the master key you want to use when encrypting the volume. Volumes that are created from encrypted snapshots are automatically encrypted, and volumes that are created from unencrypted snapshots are automatically unencrypted. if you wish to encrypt volume from unencrypted snapshot then check mark Encryption".

Nicolas

I disagree, you cannot create an encrypted volume from an unencrypted snapshot. I’ve just tested that right now, the volume you create from an unencrypted snapshot is set to unencrypted and you cannot change that.

Christophe

It seems that you can now. I just tested it again. And i’ve been able to restore an encrypted EBS volume from an unencrypted Snapshot. In the console,the "Encryption" tick box is now enabled. I suspect an update of feature.

Only way to create an encrypted volume from the unencrypted snapshot is

  • copy the unencrypted snapshot to same region(Volumes are AZ basis but Snapshots are Region basis) with ticking "Encrypt this snapshot"
  • Then create the volume from that copied snapshot

The doco from OP’s URL states it is possible and I can confirm that it does work as I just tried it. 

Specifically:

(1) Create unencrypted volume;

(2) Create unencrypted snapshot of unencrypted volume;

(3) Create new volume from unencrypted snapshot, ticking "encrypted" box and selecting the encryption key (CMK);

(4) Encrypted volume is created successfully from unencrypted snapshot.

Kimi

Vote +1 for this process.

Christophe

I confirm this is now working indeed. Could that be some update in AWS services?

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?