- You will enable the encryption flag to the already attached volume.
- You will mark the status of already created snapshot status as encrypted and attach a CMK from KMS.
- You will copy unencrypted snapshots to a new snapshots which will be encrypted.
- You will attach a new volume to the instance with encryption enabled, and then copy data from unencrypted volume to encrypted volume.
Correct Answer : C, D
Detailed Explaination: There is no direct way by which you can encrypt existing unencrypted volume and vice versa.
- You have to migrate data for doing that.
- Or you can apply new encryption status while copying a snapshot.
- There are important points regarding this
- While copying an unencrypted snapshot of an unencrypted volume, you can encrypt the copy. Hence, volumes restored using this are also encrypted.
- While copying an encrypted snapshot of encrypted volume, you can associate the copy with a different CMK. Hence, volume restored from this can only be accessible using new CMK.
- There are important points regarding this
- While copying an unencrypted snapshot of an unencrypted volume, you can encrypt the copy. Hence, volumes restored using this are also encrypted.
- While copying an encrypted snapshot of encrypted volume, you can associate the copy with a different CMK. Hence, volume restored from this can only be accessible using new CMK.
- We cannot remove encryption from an encrypted snapshot.
- Migrate data between encrypted and unencrypted volumes
- Create a destination volume (either encrypted or decrypted)
- Attach the destination volume to the instance which has the data.
- You need to follow some steps to make destination volume available.
- Once destination volume is available you can copy data from instance to destination volume.
- In above steps data will be copied and you can change the encryption state while copying the data.
- If your EC2 instance has attached volume which is un-encrypted. And you want to encrypt it then follow the below steps.
- Create a snapshot of un-encrypted data.
- Copy this snapshot and while copy you can change the encryption state. Hence, new snapshot will be encrypted.
- Now restore this snapshot as volume to instance, and this volume is encrypted.