Volume encryption at rest for AWS

[jazzl0ver]

Hi. Please, implement volume encryption at rest for AWS environment. Not sure if journal volumes should be encrypted. Probably not unless they contain sensitive data.

[JuniusLuo]

yes, this is on roadmap. Both journal and data volumes should be encrypted. All data is written into the journal volume first, and then to the data volume.

[jazzl0ver]

Can you please share estimates on the implementation?

[JuniusLuo]

It will probably be supported in Q2.

[JuniusLuo]

Your patch looks work. Are you able to test it? Thanks!

[jazzl0ver]

I've already tested it. Works well. One thing that I'm not able to do - implement update-volume call to convert volumes between encrypted and unencrypted state. It would be great if you took care of that!

[JuniusLuo]

There is no direct way to encrypt an existing unencrypted volume. You need to migrate data between encrypted and unencrypted volumes. See AWS EBS Changing the Encryption State of Your Data.

You could use firecamp cli to stop all containers of the service. Then follow EBS guide to migrate data from the existing unencrypted volume to the new encrypted volume. After that, you could use the firecamp-volume-replace tool to replace the unencrypted volume with the encrypted volume. Please be careful when using the volume-replace tool. You need to make sure the volume is replaced by the correct encrypted volume. Or else, when the cluster starts, it may write additional data to the new volume.

[jazzl0ver]

Yeah, I understand that. I just thought we could automate it :)

[JuniusLuo]

yes, we may support in the future. While, this is not a simple task. It is not planned in the short term. You could create another issue to track it :)

[jazzl0ver]

Agree