jbrt / ec2cryptomatic Goto Github PK

When you attempt to run against an already encrypted EBS volume the current output is "This volume is already encrypted nothing to do with this one"
From Amazon's documentation it looks like the process to migrate/swap key's is fairly similar to the approach for converting unencrypted volumes.

Current json on your README page for the IAM role policy, doesn't list the "ec2:StartInstances" option so it errors out on the final step.

How can we increase the max attempts? We are snapshotting a large volume 1TB and it fails with:

Traceback (most recent call last):
  File "ec2cryptomatic.py", line 251, in <module>
    main(parse_arguments())
  File "ec2cryptomatic.py", line 222, in main
    key=args.key).start_encryption(args.discard_source)
  File "ec2cryptomatic.py", line 180, in start_encryption
    self._snapshot = self._take_snapshot(device=device)
  File "ec2cryptomatic.py", line 146, in _take_snapshot
    self._wait_snapshot.wait(SnapshotIds=[snapshot.id])
  File "/usr/local/lib/python3.6/dist-packages/botocore/waiter.py", line 53, in wait
    Waiter.wait(self, **kwargs)
  File "/usr/local/lib/python3.6/dist-packages/botocore/waiter.py", line 329, in wait
    last_response=response
botocore.exceptions.WaiterError: Waiter SnapshotCompleted failed: Max attempts exceeded

docker run ec2cryptomatic run -r us-east-1 -i i-XXXXXXXXXXXX
-=[ EC2Cryptomatic ]=-
2020/11/24 17:31:15 Error with this key: RequestError: send request failed
caused by: Post "https://kms.us-east-1.amazonaws.com/": x509: certificate signed by unknown authority

I was able to make it work now by updating certs in the Dockerfile:

FROM golang:1.14.3-alpine3.11 AS builder
WORKDIR /go/src/github.com/jbrt/ec2cryptomatic
COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o ec2cryptomatic .
** RUN apk add -U --no-cache ca-certificates **

FROM scratch
LABEL maintainer="[email protected]"
WORKDIR /app/
COPY --from=builder /go/src/github.com/jbrt/ec2cryptomatic/ec2cryptomatic .
** COPY --from=alpine /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ **
ENTRYPOINT ["./ec2cryptomatic"]
CMD ["--help"]

[ec2-user@ip-172-31-35-171 ec2cryptomatic]$ ./ec2cryptomatic.py -r us-east-1 --instances i-069c975b3afc40900
Problem with the instance (An error occurred (InvalidInstanceID.NotFound) when calling the DescribeInstances operation: The instance ID 'i-069c975b3afc40900' does not exist)

I have given full permission to the instance.

It would be great if this tool could also cover RDS encryption and re-encryption. I think it follows a very similar pattern to volume encryption.

https://repost.aws/knowledge-center/update-encryption-key-rds
https://repost.aws/knowledge-center/ebs-change-encryption-key

	-=[ EC2Cryptomatic ]=-

2021/08/18 16:36:49 Error with this key: RequestError: send request failed
caused by: Post "https://kms.us-west-2%C2%A0.amazonaws.com/": dial tcp: lookup kms.us-west-2 .amazonaws.com: no such host

Hey,

I thought it would be nice to have a fast snapshot restore option:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-fast-snapshot-restore.html#manage-fsr-enable

how do we add iops? i am getting an error for io1 volume types.

2021/10/19 12:56:32 Error with this key: AccessDeniedException: User: arn:aws:iam::3915824****:user/EC2Cryptomatic is not authorized to perform: kms:DescribeKey on resource: arn:aws:kms:us-west-2:3915824****:key/*****-048e-4be0-b497-ca151cd223c5 because no resource-based policy allows the kms:DescribeKey action.

To fix I modified the policy to include kms:DescribeKey

    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1504425390448",
            "Action": [
                "ec2:AttachVolume",
                "ec2:CopyImage",
                "ec2:CopySnapshot",
                "ec2:CreateSnapshot",
                "ec2:CreateVolume",
                "ec2:CreateTags",
                "ec2:DeleteSnapshot",
                "ec2:DeleteVolume",
                "ec2:DescribeInstances",
                "ec2:DescribeSnapshots",
                "ec2:DescribeVolumes",
                "ec2:DetachVolume",
                "ec2:ModifyInstanceAttribute",
                "kms:DescribeKey",
                "ec2:StartInstances"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}```

I believe it would be a good idea to skip AWS reserved tags:

aws:cloudformation:logical-id
aws:cloudformation:stack-id
aws:cloudformation:stack-name

The program fails to copy those tags:

- Let's encrypt volume vol-0x62617a696e6761
-- Take a snapshot for volume vol-0x62617a696e6761
-- Creating an encrypted volume from snap-0x776861742773207570
Problem with the instance (An error occurred (InvalidParameterValue) when calling the CreateTags operation: Value ( aws:cloudformation:stack-name ) for parameter key is invalid. Tag keys starting with 'aws:' are reserved for internal use)

If you enter a nonexistent/incorrect KMS key alias the application starts, the snapshot is created, but as the key doesn't exist the encryption fails, but for some reason this leads to the application to stalling and never exiting.