I’m following the course, and in the Chapter "EBS", it’s said that EBS snapshots can be used to encrypt a volume
- by taking a snapshot,
– create an encrypted volume from the snapshot by ticking box "encrypted".
I don’t think this is correct (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html)
From the console, create a volume from an unencrypted snapshot forces "Encryption" to non-encrypted.
In my understanding, the right process for using snapshot in this context is
– Take the snapshot
copy the snapshot to an encrypted snapshot
create the new volume from the encrypted copy of the snapshot.
Thanks for pointing this out. Yes, I got ahead of myself in the lecture and omitted the encrypted snap step. You are correct. You have to copy a snap to another snap with the encryption setting ticked (and KMS key selected) and then you can use that new encrypted snap to create a new volume. I’ll add that to my edit it.
The video is correct. You DO can restore unencrypted snapshot DIRECTLY to encrypted volume, go try yourself.
From the Snapshot -> Create Volume console, "To create an encrypted volume, select the Encrypted box and choose the master key you want to use when encrypting the volume. Volumes that are created from encrypted snapshots are automatically encrypted, and volumes that are created from unencrypted snapshots are automatically unencrypted. if you wish to encrypt volume from unencrypted snapshot then check mark Encryption".
Only way to create an encrypted volume from the unencrypted snapshot is
- copy the unencrypted snapshot to same region(Volumes are AZ basis but Snapshots are Region basis) with ticking "Encrypt this snapshot"
- Then create the volume from that copied snapshot
The doco from OP’s URL states it is possible and I can confirm that it does work as I just tried it.
(1) Create unencrypted volume;
(2) Create unencrypted snapshot of unencrypted volume;
(3) Create new volume from unencrypted snapshot, ticking "encrypted" box and selecting the encryption key (CMK);
(4) Encrypted volume is created successfully from unencrypted snapshot.