How do I turn on encryption at rest for an existing Amazon EFS file system?
Last updated: 2022-06-14
I created an Amazon EFS file system without encryption and now I want to turn on encryption of data at rest. How do I do that?
To encrypt an existing file system, do the following:
- Create a new Amazon EFS file system with encryption turned on.
- Copy the data from the existing file system into the new file system.
- Create a new Amazon EFS file system with encryption turned on. To copy the data from your existing EFS file system to a new EFS file system, you can use the EFS replication feature. The EFS replication process replicates the data and metadata on the source file system to a new destination EFS file system.
After creating an EFS replication configuration, Amazon EFS performs the initial sync that copies all data and metadata on the source to the destination file system. The amount of time that the initial sync takes to finish depends on the size of the source file system. After the initial sync completes, the replication process continues to keep the destination file system in sync with the source.
- Fail over to the destination file system.
Note: Encryption at rest isn't turned on by default when creating a new file system using the AWS CLI, API, and SDKs. For more information, see Creating a file system using the AWS CLI.