How do I turn on encryption at rest for an existing Amazon EFS file system?

2 minute read

I used Amazon Elastic File System (Amazon EFS) to create a file system without encryption at rest. Now, I want to turn on encryption.

Short description

After you create a file system in Amazon EFS, you can't change its encryption setting. This means you can't modify an unencrypted file system to make it encrypted. Instead, use Amazon EFS replication to copy your data into a new, encrypted EFS file system.

Resolution

Replicate your Amazon EFS file system

Use the Amazon EFS console, the API, or the AWS CLI to replicate your file system. To do this, follow the instructions in Creating a replication configuration. This process replicates the data and metadata on your source file system to a new destination file system.

When you configure the replication, make sure that you turn on encryption.

Note: When you use EFS replication to create a new file system, you must manually turn on encryption at rest. In the replication configuration, you must specify an AWS Key Management Service (AWS KMS) key for the encryption setting. By default, Amazon EFS uses your AWS KMS EFS service key (aws/elasticfilesystem). For more information, see Creating a file system by using the AWS CLI.

After you create your replication configuration, Amazon EFS performs the initial data and metadata sync. The amount of time that the initial sync takes to finish depends on the size of the source file system. After the initial sync completes, the replication process continues to keep the destination file system in sync with the source.

Fail over to the destination EFS file system

When the replication process is complete, fail over to your encrypted destination file system.

Related information

Encrypting data at rest

Data encryption in Amazon EFS

Topics

Storage

Tags

Amazon Elastic File System

Language

English

AWS OFFICIALUpdated 9 months ago

2 Comments

As per the AWS EKS documentation and the steps to create EFS Replication Configuration , there is no way to provide an existing EFS file system as the destination file system. EFS Replication Configuration always creates a new EFS file system.

However, this post suggests to create a new encrypted EFS file system and mark it as destination file system during EFS replication. This does not seem to be a possible scenario. Or am I missing something here ?

rePost-User-4276832

replied 10 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

MODERATOR

AWS Official

replied 10 months ago

Relevant content

EFS Mount File System as Subdirectory
Accepted Answer
Julian
asked 7 days ago
Is it possible to use an encrypted file system with CodeBuild?
ScottWellsSirono
asked 5 years ago
Using Amazon Elastic File System (EFS) with MacBook Pro for cloud drive..
JohnathanSmith
asked a year ago
Mounting EBS or EFS as File System in on Premise Instances
della
asked a year ago
Can you encrypt an existing unencrypted Amazon Redshift snapshot?
Accepted Answer
FreddyKasprzykowski
asked 4 years ago
How do I mount an encrypted Amazon EFS file system to a pod in Amazon EKS?
AWS OFFICIALUpdated 3 months ago
How can I back up and restore my Amazon EFS file system?
AWS OFFICIALUpdated 2 years ago
Why is my Amazon EFS file system read-only?
AWS OFFICIALUpdated 3 years ago
How do I mount an Amazon EFS file system on an Amazon ECS container or task running on Fargate?
AWS OFFICIALUpdated 3 years ago
Demystifying EFS-Claim not bound on AWS Fargate with Amazon EKS
EXPERT
Shubham Sharan
published 7 months ago