How to Migrate Data from an Unencrypted to an Encrypted EBS Volume

Encrypted ebs volumeIn the growing world of data security and privacy requirements, encryption is a de facto need of cloud-based applications. AWS EBS which provides data persistence also offers an easy to use, 256 bit key based encryption mechanism for EBS volumes. It builds, manages and secures a key management service for data owners.

AWS EBS encryption uses AWS’ own key management service known as AWS KMS. And AWS KMS customer master keys (CMK) are used to create encrypted volumes as well as snapshots of encrypted volumes. When users create encrypted volumes in specific regions, AWS KMS creates a default CMK automatically. Users are allowed to create their own CMKs with KMS and use them during encryption. Data that is stored at rest on the AWS EBS backup volume, along with I/O (in-transit) on disk and snapshots that are created from the volume, are encrypted, too.

In this article, we will show you how to migrate data from an unencrypted volume to an encrypted one. Therefore, we will use an Amazon Linux instance and attach an additional 5GB data volume (unencrypted) to the instance.

Encrypted ebs volume
You can describe your volume details with the AWS CLI:

aws ec2 describe-volumes
Encrypted ebs volume

This volume is mounted as an additional data volume to a directory called “unencrypt”
Encrypted ebs volume

Below are the contents of the data volume.
Unencrypted Data.JPG

You can move this data to an encrypted volume by first creating a new encrypted EBS volume using the AWS Management Console. As shown below, you can do this with the KMS CMK:
Encrypted ebs volume

aws ec2 create-volume –size 5 –region ap-southeast-1 –availability-zone ap-southeast-1a –volume-type gp2 –encrypted
Encrypted ebs volume
If you want to specify a non default master key, you should provide it using the parameter: –kms-key-id

The command would then look similar to this:
aws ec2 create-volume –size 5 –region ap-southeast-1 –availability-zone ap-southeast-1a –volume-type gp2 –encrypted –kms-key-id <Key ID in ARN Format>
It is important to note that the parameter is optional, but if it is provided, you should use the full Amazon Resource Name (ARN) of the AWS KMS master key when creating the encrypted volume. If this parameter is not specified, AWS will use the default master key.

Here is your new encrypted EBS volume:
Encrypted ebs volume

Attach the newly encrypted volume to your running instance as an additional volume.
Encrypted ebs volume

aws ec2 attach-volume –volume-id vol-c5208e2d –instance-id i-5f28ca93 –device /dev/sdg
Encrypted ebs volume

The new volume will behave like a raw, unformatted block device. We will first copy all the content from old unencrypted volume to new encrypted volume., You can use the dd command as shown below that will copy one disk to another byte by byte.

dd if/dev/xdf of=/dev/xvdg bs=64K conv=noerror,sync

Encrypted ebs volume

In the above command copy the content from unencrypted disk (/dev/xdf) to encrypted disk (/dev/xvdg). About the parameters:

  • ‘noerror’ parameter instructs dd command to continue operation, ignoring all read errors. If not specified then default behavior for dd is to halt at any error.
  • ‘sync’ parameter fills input blocks with zeroes if there were any read errors, so data offsets stay in sync.
  • ‘bs’ is to set the block size. It defaults to 512 bytes, which is the “classic” block size for older drives. Its recommended to use bigger value like 64K,128K

Next, you need to mount the new volume after copying content.

Encrypted ebs volume

And verify the content of newly mounted encrypted volume. It shows the same content as unencrypted volume.

Encrypted ebs volume

Once the data is copied detach the unencrypted volume. You should stop the instance before detaching and copying the volume to avoid any data inconsistencies.

Though some believe encryption may have a slight impact on latency, with AWS, IOPS performance is the same on both encrypted and unencrypted volumes.

In this article, we have shown you how to move the contents of an unencrypted EBS volume to an encrypted volume. Before performing the steps outlined above, we recommend backing up your data with EBS Snapshots for consistency.

N2Ws offers Cloud Protection Manager (CPM), which is an enterprise-class backup/recovery and disaster recovery solution for EC2. It is a software product that uses EBS volumes and RDS databases to automatically take snapshots at regular intervals. Additionally, you can set up policies and schedule backups for various targets.

Share this post →

You might also like: