I needed to unencrypt an Amazon Elastic Block Store (Amazon EBS) volume that was encrypted using a default AWS Key Management Service (KMS) key aws/ebs or a custom KMS key.
I copied an encrypted ebs volume to a new, unencrypted ebs volume using a temporary/rescue linux EC2 instance, located in the same account as the KMS key used to encrypt the data. I then took snapshots and grants the other AWS account access to them using their AWS account ID.
A single AWS Account, not using AWS organizations
This first step is super important, before you do anything, create a snapshot of the encrypted volume, this will create a backup just in the event you make a mistake or have some unplanned data loss or corruption.
Open the Amazon EC2 console.
Stop the instance with the encrypted root volume, take a note of where the instance is launched such as US-WEST-2
Actions, Detach Volume, and then choose Yes, Detach
We will Launch a new temporary linux, I prefer to use an AWS Linux AMI instance in the same Availability Zone as the original instance we stopped above.
Once are new temp instance launches, choose Volumes from the navigation pane, and then select the detached, encrypted root volume.
Choose Actions, Attach Volume, we need to attach the encrypted volume at either /dev/xvdf or /dev/sdg.
Next, we will create a new, unencrypted volume in the same Availability Zone as the encrypted volume, in my case its US-WEST-1. I like to make these new, encrypted volumes a little bigger than the original encrypted volumes, such as 100GB larger for example.
We will attach the new, unencrypted volume to the new temp linux instance as /dev/xvdg or /dev/sdg for example.
At this point, the new, temp linux instance should have three ebs volumes, the root aws instance ebs volume, the encrypted ebs volume using KMS, and the new encrypted ebs volume we will copy data to using dd.
Connect to the new temp linux EC2 instance using SSH or AWS System Manager, session manager which is always my preference.
Once we are connected, we will issue the command below to confirm we have the volumes attached correctly.
$lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
$lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT xvda 202:0 0 20G 0 disk └─xvda1 202:1 0 20G 0 part / xvdf 202:80 0 40G 0 disk └─xvdf1 202:81 0 40G 0 part xvdg 202:96 0 50G 0 disk
Note: If you are only seeing a disk and not a partition, we will need to create one.
Creating Disk Partitions with Parted in Linux
- Make sure its installed by running sudo parted and ready to roll if not, see below. To exit, invoke the command quit.
$ sudo yum install -y parted Or $ sudo dnf install -y parted
List Existing Disk Partitions
$ sudo parted -l
To create a separate partition, First, select the target disk
$ sudo parted /dev/sdp
(parted) select /dev/sdp
Next, we create a partition table using the mklabel command
(parted) mklabel gpt
Note: You’ll get a warning that the existing disk label will be destroyed and all the data deleted. Just type ‘Yes’ and hit ENTER.
Next, select your preferred partition type, we selected primary.
You will be prompted to provide a filesystem type we decided to go with ext4.
We will create a partition size of 50GB.
For the start value, select 1. For the end value, we will type in 50000 to represent 50000MB which is the equivalent of 50GB.
Format new partition
$ sudo mkfs.ext4 /dev/sdp
As the root user, we will use the dd command to move the data from the original, encrypted volume /dev/sdg) to the new, unencrypted volume /dev/sdp).
#dd if=/dev/sdg of=/dev/sdp bs=4096 status=progress
Once the copy completes, we will detach the new, unencrypted volume (/dev/sdp) from the temp linux instance. Then, attach the volume to the original instance as /dev/xvda or /dev/sda1
Note: It's also a good time to create a snapshot of the new encrypted volume so you have a backup and wont need to go through another copy process using dd.