I used Amazon Elastic File System (Amazon EFS) to create a file system without encryption at rest. Now, I want to turn on encryption.
Short description
After you create a file system in Amazon EFS, you can't change its encryption setting. This means you can't modify an unencrypted file system to make it encrypted. Instead, use Amazon EFS replication to copy your data into a new, encrypted EFS file system.
Resolution
Replicate your Amazon EFS file system
Use the Amazon EFS console, the API, or the AWS CLI to replicate your file system. To do this, follow the instructions in Creating a replication configuration. This process replicates the data and metadata on your source file system to a new destination file system.
When you configure the replication, make sure that you turn on encryption.
Note: When you use EFS replication to create a new file system, you must manually turn on encryption at rest. In the replication configuration, you must specify an AWS Key Management Service (AWS KMS) key for the encryption setting. By default, Amazon EFS uses your AWS KMS EFS service key (aws/elasticfilesystem). For more information, see Creating a file system by using the AWS CLI.
After you create your replication configuration, Amazon EFS performs the initial data and metadata sync. The amount of time that the initial sync takes to finish depends on the size of the source file system. After the initial sync completes, the replication process continues to keep the destination file system in sync with the source.
Fail over to the destination EFS file system
When the replication process is complete, fail over to your encrypted destination file system.
Related information
Encrypting data at rest
Data encryption in Amazon EFS