Skip to content

Creating a ubuntu Opsworks AMI with an encrypted volume

Amazon says that drive encryption in Opsworks is on the roadmap. In the meantime they suggest creating a drive in EC2, adding it to resources, then mapping it to an instance.

For my automation, I much prefer to have an AMI with an encrypted volume attached:

1. created instance in opsworks, no application recipes
2. cleaned out opsworks data from instance
3. created encrypted volume, mounted it elsewhere, created ext3 filesystem
4. added mount command to /etc/rc.local (mount /dev/xvdh /storage/)
5. shutdown opsworks instance via opsworks
6. created snapshot of 100gb volume
7. attached volume to instance and specify snapshot (snap-6ed57648)
8. created ami “encrypted-disks-ubu1204-4”
9. created new instance in scout layer and another new instance in a blank layer, both using new AMI
10. verified applicable volumes are encrypted
11. started instance in opsworks

Note: don’t forget, you can’t share encrypted volumes with other accounts, the encryption key is only accessible from your account.

Post a Comment

You must be logged in to post a comment.