By using AWS re:Post, you agree to the Terms of Use

Enable RDS Encryption with minimal downtime after creation


I have 2 RDS instances (one mysql and one postgres) and I need to enable encryption after they were already created. The DBs are large, and I am concerned about potential downtime required to create a snapshot, restore the DB, and then complete the warming process.

I estimate it would take ~5 hours to create the snapshot (Postgres ~1.1TB) and ~24 hours for the mysql (~4.5 TB). Then there is time to restore from snapshot and warm the DBs, and then they'd need to (I'm assuming) catch up transactions that may be happening during that gap of time.

I'm thinking I would need to make sure they have a multi-AZ DB. Then create a snapshot for the DBs, encrypt the snapshot and restore to a new RDS instance. Then, could I use AWS DMS do on-going replication for the DB to catch up the transactions and then flip over to the new DB when there is an available small window for downtime?

Is there a better approach or recommendation?

1 Answer
Accepted Answer

If you don't want to go the route of taking snapshot, encrypting it and then restoring it, the only option left is to do replication to an encrypted RDS, either using DMS or by setting up binlog replication (in case of MySQL) or WAL replication (using pglogical) in case of PostgreSQL. You could set up a new set of instances that are encrypted, and then use logical database replication to copy the data over, and then cut over to the new instances once replication lag is 0. DMS isn't really needed if you are transferring data from MySQL to MySQL or PostgreSQL to PostgreSQL.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions