How do I convert an unencrypted Multi-AZ DB cluster to an encrypted Multi-AZ DB cluster?

3 minute read

I want to encrypt my Amazon Relational Database Service (Amazon RDS) Multi-AZ DB cluster. However, I don’t want to use a native dump method or AWS Database Migration Service (AWS DMS).

Short description

Because Multi-AZ DB clusters don't support snapshot copies, you can't directly convert an unencrypted Multi-AZ DB cluster to an encrypted Multi-AZ DB cluster. However, you can transfer data between these clusters with AWS DMS or any native dump method, such as mysqldump or pg_dump.

If you don't want to use these methods, then you can use snapshots to transfer data to an encrypted Multi-AZ DB cluster in Amazon RDS.


If you already created a Multi-AZ DB cluster without encryption, then complete the following steps to transfer your data to an encrypted cluster:

  1. Sign in to the Amazon RDS console.
  2. Take a snapshot of your unencrypted cluster.
  3. When the snapshot is available, restore that snapshot with the following setting:
    Choose Single-AZ Deployment for the cluster. This restores the cluster into a Single-AZ DB instance.
    Note: Amazon RDS doesn't support all DB instances for this operation. For more information, see Settings for creating Multi-AZ DB clusters and DB instance class types.
  4. After you restore the snapshot and the Single-AZ DB instance is available, take a new snapshot of this instance.
  5. Choose Snapshots from the navigation page, and wait until the new snapshot from Step 4 is available. Then, choose this snapshot.
  6. Choose Actions, and then choose Copy snapshot.
  7. For Encryption, choose Enable Encryption, and then select your AWS Key Management Service (AWS KMS) key to encrypt the snapshot.
  8. Choose Copy snapshot.
  9. When the copied snapshot is available, restore that snapshot with the following settings:
    Choose Multi-AZ Deployment for the cluster.
    In the Encryption section, verify that the default selection is the KMS Key that you selected in Step 7.
  10. Choose Restore DB instance. Your new, encrypted DB cluster has the same data as your original, unencrypted DB cluster.
    Note: When you restore the DB instance, Amazon RDS might prompt you about storage type conversion. For more information, see the following section Storage type and cost.

After you confirm that the encrypted cluster works as expected, delete all DB instances and snapshots that you no longer need.

Storage type and cost

When you restore your DB instance back to a Multi-AZ Deployment cluster, you might receive the following message:

Converting between General Purpose (SSD) and Provisioned IOPS (SSD)

If you convert between General Purpose (SSD) and Provisioned IOPS (SSD), it can cause these issues:  
Deplete the initial General Purpose (SSD) I/O credits, leading to longer conversion times.
Negatively affect instance performance until the operation completes. Learn more

For example, you receive this warning if you choose the default GP2 storage type for the Single-AZ Deployment in Step 3. This storage type results in lower costs in exchange for decreased performance.

Make sure that you choose a storage type that's appropriate for your use case. For more information on the performance and cost of storage types, see Amazon RDS DB instance storage.

AWS OFFICIALUpdated a year ago