Can we directly create encrypted volume from unencrypted snapshot in aws

0

I want to ask can we create an encrypted volume from an unencrypted snapshot in aws? I have found documentation which says we should copy the unencrypted snapshot to encrypted snapshot and then create a volume from the encrypted snasphot. Is it necessary to do the copy snapshot step?

I can create the encrypted volume from unencrypted snapshot directly without copying unecrypted snaphot to encrypted snaphot first. Can someone verify that this approach is valid as well? I am using default EBS encryption key to encrypt my volume.

asked a year ago462 views
2 Answers
1

FYI, "New EBS volumes that are created from encrypted snapshots are automatically encrypted. You can also encrypt a volume on-the-fly while restoring it from an unencrypted snapshot. Encrypted volumes can only be attached to instance types that support EBS encryption."

Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-volume.html

AWS
AntAWS
answered a year ago
0

I don't think copy snapshot step is necessary. Can you share the documentation you are referring to? Here is the documentation regarding "creating an encrypted volumes from an unencrypted snapshot": https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html

How EBS encryption works when the snapshot is unencrypted

  • When you create an encrypted volume from unencrypted snapshot, Amazon EC2 works with AWS KMS to encrypt and decrypt your EBS volumes as follows:
  • Amazon EC2 sends a CreateGrant request to AWS KMS, so that it can encrypt the volume that is created from the snapshot.
  • Amazon EC2 sends a GenerateDataKeyWithoutPlaintext request to AWS KMS, specifying the KMS key that you chose for volume encryption.
  • AWS KMS generates a new data key, encrypts it under the KMS key that you chose for volume encryption, and sends the encrypted data key to Amazon EBS to be stored with the volume metadata.
  • Amazon EC2 sends a Decrypt request to AWS KMS to get the encryption key to encrypt the volume data.
  • When you attach the encrypted volume to an instance, Amazon EC2 sends a CreateGrant request to AWS KMS, so that it can decrypt the data key.
  • When you attach the encrypted volume to an instance, Amazon EC2 sends a Decrypt request to AWS KMS, specifying the encrypted data key.
  • AWS KMS decrypts the encrypted data key and sends the decrypted data key to Amazon EC2.
  • Amazon EC2 uses the plaintext data key in hypervisor memory to encrypt disk I/O to the volume. The plaintext data key persists in memory as long as the volume is attached to the instance.
profile pictureAWS
EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions