I created an Amazon EFS file system without encryption and now I want to turn on encryption of data at rest.
After you create an existing file system (EFS), you can't change its encryption setting. This means you can't modify an unencrypted file system to make it encrypted. Instead, you must:
- Create a new Amazon EFS file system with encryption turned on.
- Copy the data from the existing file system into the new file system.
- Create a new Amazon EFS file system with encryption turned on. To copy the data from your existing EFS file system to a new EFS file system, use the EFS replication feature. The EFS replication process replicates the data and metadata on the source file system to a new destination EFS file system.
After creating an EFS replication configuration, Amazon EFS performs the initial sync that copies all data and metadata on the source to the destination file system. The amount of time that the initial sync takes to finish depends on the size of the source file system. After the initial sync completes, the replication process continues to keep the destination file system in sync with the source.
2. Fail over to the destination file system.
Note: Encryption at rest isn't turned on by default when creating a new file system using the AWS CLI, API, or SDKs. For more information, see Creating a file system using the AWS CLI.
Encrypting data at rest
Data encryption in Amazon EFS
Amazon EFS replication