DEV Community

Encrypted EBS Volumes with KMS key, sharing with other AWS accounts

Background
I needed to unencrypt an Amazon Elastic Block Store (Amazon EBS) volume that was encrypted using a default AWS Key Management Service (KMS) key aws/ebs or a custom KMS key.

Use Case
I copied an encrypted ebs volume to a new, unencrypted ebs volume using a temporary/rescue linux EC2 instance, located in the same account as the KMS key used to encrypt the data. I then took snapshots and grants the other AWS account access to them using their AWS account ID.

Architecture
A single AWS Account, not using AWS organizations

Lets Build

  • This first step is super important, before you do anything, create a snapshot of the encrypted volume, this will create a backup just in the event you make a mistake or have some unplanned data loss or corruption.

  • Open the Amazon EC2 console.

  • Stop the instance with the encrypted root volume, take a note of where the instance is launched such as US-WEST-2

  • Actions, Detach Volume, and then choose Yes, Detach

  • We will Launch a new temporary linux, I prefer to use an AWS Linux AMI instance in the same Availability Zone as the original instance we stopped above.

  • Once are new temp instance launches, choose Volumes from the navigation pane, and then select the detached, encrypted root volume.

  • Choose Actions, Attach Volume, we need to attach the encrypted volume at either /dev/xvdf or /dev/sdg.

  • Next, we will create a new, unencrypted volume in the same Availability Zone as the encrypted volume, in my case its US-WEST-1. I like to make these new, encrypted volumes a little bigger than the original encrypted volumes, such as 100GB larger for example.

  • We will attach the new, unencrypted volume to the new temp linux instance as /dev/xvdg or /dev/sdg for example.

  • At this point, the new, temp linux instance should have three ebs volumes, the root aws instance ebs volume, the encrypted ebs volume using KMS, and the new encrypted ebs volume we will copy data to using dd.

  • Connect to the new temp linux EC2 instance using SSH or AWS System Manager, session manager which is always my preference.

  • Once we are connected, we will issue the command below to confirm we have the volumes attached correctly.

$lsblk
NAME    MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
Enter fullscreen mode Exit fullscreen mode
$lsblk
NAME    MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
xvda    202:0    0   20G  0 disk 
└─xvda1 202:1    0   20G  0 part /
xvdf    202:80   0   40G  0 disk 
└─xvdf1 202:81   0   40G  0 part 
xvdg    202:96   0   50G  0 disk

Enter fullscreen mode Exit fullscreen mode

Note: If you are only seeing a disk and not a partition, we will need to create one.

Creating Disk Partitions with Parted in Linux

  • Make sure its installed by running sudo parted and ready to roll if not, see below. To exit, invoke the command quit.
$ sudo yum install -y parted
Or
$ sudo dnf install -y parted

Enter fullscreen mode Exit fullscreen mode

List Existing Disk Partitions

$ sudo parted -l

Enter fullscreen mode Exit fullscreen mode

To create a separate partition, First, select the target disk

$ sudo parted /dev/sdp
Enter fullscreen mode Exit fullscreen mode

or

(parted) select /dev/sdp

Enter fullscreen mode Exit fullscreen mode

Next, we create a partition table using the mklabel command

(parted) mklabel gpt

Enter fullscreen mode Exit fullscreen mode

Note: You’ll get a warning that the existing disk label will be destroyed and all the data deleted. Just type ‘Yes’ and hit ENTER.

Creat Partition

(parted) mkpart

Enter fullscreen mode Exit fullscreen mode

Next, select your preferred partition type, we selected primary.

You will be prompted to provide a filesystem type we decided to go with ext4.

We will create a partition size of 50GB.

For the start value, select 1. For the end value, we will type in 50000 to represent 50000MB which is the equivalent of 50GB.

Format new partition

$ sudo mkfs.ext4 /dev/sdp
Enter fullscreen mode Exit fullscreen mode

Copying Process

As the root user, we will use the dd command to move the data from the original, encrypted volume /dev/sdg) to the new, unencrypted volume /dev/sdp).

#dd if=/dev/sdg of=/dev/sdp bs=4096 status=progress

Enter fullscreen mode Exit fullscreen mode

Once the copy completes, we will detach the new, unencrypted volume (/dev/sdp) from the temp linux instance. Then, attach the volume to the original instance as /dev/xvda or /dev/sda1

Note: It's also a good time to create a snapshot of the new encrypted volume so you have a backup and wont need to go through another copy process using dd.

Discussion (0)