I want to share a snapshot that has been encrypted using a default CMK with another account. How do I share a snapshot with another account if it has been encrypted using a default CMK?

You can share only unencrypted snapshots or snapshots that are encrypted using a custom CMK.

Here is a summary of the necessary steps:

1.    Restore the encrypted snapshot as an encrypted volume.

2.    Attach the volume to a temporary EC2 Linux instance.

3.    Use the Linux ‘dd’ utility to copy the data from your encrypted volume to a newly created, unencrypted volume.

4.    Create a snapshot from the unencrypted volume, and share it with the account of your choosing.

Here are the detailed steps:

Naming conventions:

i-cmk = The original instance encrypted using the default KMS CMK.

vol-cmk = The encrypted root volume of the original encrypted instance i-cmk.

i-temp = The temporary “worker instance” to perform the dd operations.

vol-new = New, unencrypted, blank volume, identical in size to vol-cmk, and in the same Availability Zone as vol-cmk.  This will be used to receive the data from vol-cmk, and then to create an unencrypted snapshot that is shareable with another account.

Detailed steps:

1.    Stop the encrypted instance i-cmk using either the AWS Command Line Interface (CLI) or the AWS Management Console.

2.    Create a snapshot of vol-cmk and/or create an AMI of i-cmk. Use snapshots and AMIs to provide backups for your resources prior to performing any major tasks.

3.    Take note of the i-cmk root device name in the AWS console (/dev/xvda, /dev/sda1, etc., depending upon the Linux distribution).

4.    Launch a new temporary worker EC2 Linux instance (i-temp) of the same type and in the same Availability Zone as i-cmk.

5.    Detach the encrypted root volume vol-cmk from instance i-cmk.

6.    Attach vol-cmk to your temporary worker instance i-temp (attach v-cmk to the temp instance as /dev/xvdf).

7.    Create a new, unencrypted volume (vol-new) and attach it to the temporary worker instance i-temp as /dev/xvdg.

8.    Connect to i-temp and confirm the presence of the root device and both attached volumes using lsblk:

$ lsblk
NAME    MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
xvda    202:0    0   8G  0 disk 
└─xvda1 202:1    0   8G  0 part /
xvdf    202:80   0   5G  0 disk 
└─xvdf1 202:81   0   5G  0 part 
xvdg    202:96   0   5G  0 disk

9.    As sudoer/root, dd the data from the encrypted original volume v-cmk (input file is /dev/xvdf) to the unencrypted new volume v-new (output file is /dev/xvdg):

# dd if=/dev/xvdf of=/dev/xvdg bs=4096 

Notes regarding dd:

  • If you don't specify a block size (bs=4096 or whatever you choose), block size defaults to 512 bytes and the transfer speed will be negatively impacted. Larger block size does introduce an increased chance for error, but it provides significantly faster transfer speed up to a point.
  • dd clones everything, including the MBR, bootloader, partitions, UUIDs, and data. Therefore, you do not need to partition the destination EBS volume before performing the data copy from the encrypted volume to the unencrypted volume.

10.    Wait for the process to complete. Larger volumes take longer than smaller volumes, slower instances take longer than faster instances.

11.    Detach /dev/xvdg (vol-new) from temporary copy instance i-temp and attach it to the original instance i-cmk using the identical root device name noted in step 3.

12.    Connect to the original instance i-cmk to confirm the new instance launches properly with the new unencrypted (copied) root volume.

13.    Select i-cmk in the EC2-console, and view the volume’s properties to ensure the root volume is now unencrypted. You might need to run the partprobe command as root/sudoer on the instance to register the partition changes to the kernel (a reboot or a stop/start will accomplish the task as well).

14.    Repeat the process for any other encrypted volumes on instance i-cmk to create "cloned" volumes that are unencrypted.

15.    Terminate your temporary worker instance after you have confirmed that the newly created unencrypted volumes are working properly.

You now have a "cloned" instance with unencrypted volumes that you can use to create snapshots (or create an AMI) and share.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-06-05