How do I turn on encryption at rest for an existing Amazon EFS file system?

2 minute read

I used Amazon Elastic File System (Amazon EFS) to create a file system without encryption at rest. Now, I want to turn on encryption.

Short description

After you create a file system in Amazon EFS, you can't change its encryption setting. This means you can't modify an unencrypted file system to make it encrypted. Instead, use Amazon EFS replication to copy your data into a new, encrypted EFS file system.


Replicate your Amazon EFS file system

Use the Amazon EFS console, the API, or the AWS CLI to replicate your file system. To do this, follow the instructions in Creating a replication configuration. This process replicates the data and metadata on your source file system to a new destination file system.

When you configure the replication, make sure that you turn on encryption.

Note: When you use EFS replication to create a new file system, you must manually turn on encryption at rest. In the replication configuration, you must specify an AWS Key Management Service (AWS KMS) key for the encryption setting. By default, Amazon EFS uses your AWS KMS EFS service key (aws/elasticfilesystem). For more information, see Creating a file system by using the AWS CLI.

After you create your replication configuration, Amazon EFS performs the initial data and metadata sync. The amount of time that the initial sync takes to finish depends on the size of the source file system. After the initial sync completes, the replication process continues to keep the destination file system in sync with the source.

Fail over to the destination EFS file system

When the replication process is complete, fail over to your encrypted destination file system.

Related information

Encrypting data at rest

Data encryption in Amazon EFS

AWS OFFICIALUpdated 7 months ago

As per the AWS EKS documentation and the steps to create EFS Replication Configuration , there is no way to provide an existing EFS file system as the destination file system. EFS Replication Configuration always creates a new EFS file system.

However, this post suggests to create a new encrypted EFS file system and mark it as destination file system during EFS replication. This does not seem to be a possible scenario. Or am I missing something here ?

replied 8 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
replied 8 months ago