Home / server / Questions / 1003426
Accepted
Darko Miletic
Asked: 2020-02-18 10:37:21 +0800 CST

Encrypt at rest existing AWS EFS instances - is it possible?

  • 772

Based on my understanding of AWS documentation it appears that the only way to encrypt at rest existing EFS instances with some data is to create new EFS instances with encryption enabled and copy the files from unencrypted EFS to encrypted EFS and alter mount points if any.

Can anybody confirm that is the case?

encryption amazon-web-services amazon-efs encrypting-file-system

2 Answers

  1. Best Answer

    You are correct, EFS encryption of data at rest can only be enabled when creating the EFS instance. Below is the quote (and image) from the setup workflow for EFS.

    Encryption of data at rest can only be enabled during file system creation. Encryption of data in transit is configured when mounting your file system

    enter image description here

    Reference

    Encryption at Rest

    • 2

  2. On encryption of EFS instances, I've worked out a procedure, that amounts to

    1. Create an encrypted EFS instance

    2. Use DataSync to copy the contents over

    3. Fix everything that mounts the EFS instance to use the new ID. This could include scripts in instances, as well as the FILE_SYSTEM_ID parameter in Beanstalks.

    On encryption of database, a colleague found a blog post that squeezes out all the unnecessary fiddling, and distills the process down to its essentials, at

    https://blog.theodo.com/2019/11/encrypt-existing-aws-rds-database/

    I can confirm that it works.

    • 0