Thoughts on building software and startups.

A weekly podcast about cloud native development, AWS, and building distributed systems.


Add Encryption to an Unencrypted RDS DB Instance

When using encryption to protect data for our cloud workloads, we have two primary scenarios to consider. Either the data is being transmitted to another recipient ("in transit"), or the data is stored ("at rest"). The protocols and algorithms used to encrypt the data will depend on which of these situations applies.

For example, consider a microservice that exposes a RESTful API for accessing data stored in a relational database. To protect the data while in transit, we use Transport Layer Security (TLS) for the API calls between clients and the microservice. But what about protecting the data when it is stored by the database?

With Amazon Relational Database Service (RDS), you can encrypt your data at rest by literally "checking a box". By enabling the encryption option for the database instance, RDS handles decryption of the data transparently, with minimal impact on performance.

However, you can only enable encryption when you create the database instance. Another limitation is that you cannot restore an unencrypted backup or snapshot to an encrypted database instance. What if you have an existing RDS instance that was created without the encryption option enabled? How can you update your database to have encryption at rest?

Luckily, there is an easy workaround to accomplish this. We can take advantage of the RDS feature that allows you to add encryption when making a copy of a snapshot.

To add encryption to an unencrypted RDS instance, perform the following 3 steps.

Step 1: Take a snapshot of the existing unencrypted database instance.

From the RDS Console, navigate to the database instance, and then choose "Actions->Take snapshot".

Take Snapshot

Step 2: Create a copy of the snapshot, enabling the encryption option.

Navigate to the list of snapshots, select the snapshot you just created, then choose "Actions->Copy snapshot". In the Encryption section, choose "Enable encryption" and then select the master key to be used. You can use either the default encryption key for Amazon RDS for your AWS account or you can opt for a specific KMS customer master key (CMK).

Copy Snapshot

Step 3: Restore the encrypted snapshot to a new database instance.

From the list of snapshots, select the new encrypted snapshot, then choose "Actions->Restore Snapshot". Specify the details for the new instance, then click the "Restore DB Instance" button.

Restore Snapshot

After the new database instance is available, you can then update your microservice to use the new RDS endpoint and then delete the original RDS instance.

Voilà! Your microservice now has full encryption, supporting both in transit and at rest encryption.

Entrepreneur, technologist and startup junkie. Founded two companies, one with $24M in VC, the other bootstrapped with a SBA loan. Now building startup #3, looking to shake up the podcasting industry.

View Comments