Amazon says that drive encryption in Opsworks is on the roadmap. In the meantime they suggest creating a drive in EC2, adding it to resources, then mapping it to an instance.
For my automation, I much prefer to have an AMI with an encrypted volume attached:
1. created instance in opsworks, no application recipes
2. cleaned out opsworks data from instance http://docs.aws.amazon.com/opsworks/latest/userguide/workinginstances-custom-ami.html
3. created encrypted volume, mounted it elsewhere, created ext3 filesystem
4. added mount command to /etc/rc.local (mount /dev/xvdh /storage/)
5. shutdown opsworks instance via opsworks
6. created snapshot of 100gb volume
7. attached volume to instance and specify snapshot (snap-6ed57648)
8. created ami “encrypted-disks-ubu1204-4”
9. created new instance in scout layer and another new instance in a blank layer, both using new AMI
10. verified applicable volumes are encrypted
11. started instance in opsworks
Note: don’t forget, you can’t share encrypted volumes with other accounts, the encryption key is only accessible from your account.
Post a Comment