Creating encrypted AMI snapshots in Amazon EC2

Question

Creating encrypted AMI snapshots in Amazon EC2

Closed this issue 6 years ago · 3 comments

Do you plan to support creating encrypted AMIs?

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html

The official Debian images are not encrypted. It's also not possible to create a copy of such an AMI and encrypt it due to some policy applied to those AMIs. So whenever we create an instance from an unencrypted AMI, we have to go through the following steps to encrypt the EBS volume it uses:

Shutdown the new EC2 instance
Create a snapshot of the EBS volume and delete the unencrypted volume
Create an encrypted copy of the snapshot in the same availability zone
Create a new EBS volume based on the encrypted snapshot
Attach the encrypted EBS volume as a root device to the instance
Launch the instance again

I had a quick look at the manifest:

https://github.com/andsens/bootstrap-vz/blob/master/bootstrapvz/providers/ec2/manifest-schema.yml

but I don't see any settings related to encryption here.

Answer 1 · 2017-11-09T10:13:25.000Z

For now I will simply encrypt the created AMI using AWS console. So the created instances will be encrypted, unlike instances created from the official Debian AMIs.

Answer 2 · 2017-11-09T17:41:14.000Z

This is definitely something we can add to ec2 provider options. If create a PR, I'd be open to reviewing and merging it.

Answer 3 · 2017-11-10T08:59:55.000Z

Enabling encryption for an EBS volume is simply a matter of adding the Encrypted parameter to the create_volume call:

self.volume = self.conn.create_volume(Size=size,
                                      AvailabilityZone=zone,
                                      VolumeType='gp2',
                                      Encrypted=True)

in the EBSVolume class. How to read manifest properties from this class to make this configurable? It might also be a good idea to add VolumeType property to the manifest.