jbrt / ec2cryptomatic Goto Github PK
View Code? Open in Web Editor NEWEncrypt EBS volumes from AWS EC2 instances
License: GNU General Public License v3.0
Encrypt EBS volumes from AWS EC2 instances
License: GNU General Public License v3.0
When you attempt to run against an already encrypted EBS volume the current output is "This volume is already encrypted nothing to do with this one"
From Amazon's documentation it looks like the process to migrate/swap key's is fairly similar to the approach for converting unencrypted volumes.
How can we increase the max attempts? We are snapshotting a large volume 1TB and it fails with:
Traceback (most recent call last):
File "ec2cryptomatic.py", line 251, in <module>
main(parse_arguments())
File "ec2cryptomatic.py", line 222, in main
key=args.key).start_encryption(args.discard_source)
File "ec2cryptomatic.py", line 180, in start_encryption
self._snapshot = self._take_snapshot(device=device)
File "ec2cryptomatic.py", line 146, in _take_snapshot
self._wait_snapshot.wait(SnapshotIds=[snapshot.id])
File "/usr/local/lib/python3.6/dist-packages/botocore/waiter.py", line 53, in wait
Waiter.wait(self, **kwargs)
File "/usr/local/lib/python3.6/dist-packages/botocore/waiter.py", line 329, in wait
last_response=response
botocore.exceptions.WaiterError: Waiter SnapshotCompleted failed: Max attempts exceeded
docker run ec2cryptomatic run -r us-east-1 -i i-XXXXXXXXXXXX
-=[ EC2Cryptomatic ]=-
2020/11/24 17:31:15 Error with this key: RequestError: send request failed
caused by: Post "https://kms.us-east-1.amazonaws.com/": x509: certificate signed by unknown authority
I was able to make it work now by updating certs in the Dockerfile:
FROM golang:1.14.3-alpine3.11 AS builder
WORKDIR /go/src/github.com/jbrt/ec2cryptomatic
COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o ec2cryptomatic .
** RUN apk add -U --no-cache ca-certificates **
FROM scratch
LABEL maintainer="[email protected]"
WORKDIR /app/
COPY --from=builder /go/src/github.com/jbrt/ec2cryptomatic/ec2cryptomatic .
** COPY --from=alpine /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ **
ENTRYPOINT ["./ec2cryptomatic"]
CMD ["--help"]
[ec2-user@ip-172-31-35-171 ec2cryptomatic]$ ./ec2cryptomatic.py -r us-east-1 --instances i-069c975b3afc40900
Problem with the instance (An error occurred (InvalidInstanceID.NotFound) when calling the DescribeInstances operation: The instance ID 'i-069c975b3afc40900' does not exist)
I have given full permission to the instance.
It would be great if this tool could also cover RDS encryption and re-encryption. I think it follows a very similar pattern to volume encryption.
https://repost.aws/knowledge-center/update-encryption-key-rds
https://repost.aws/knowledge-center/ebs-change-encryption-key
-=[ EC2Cryptomatic ]=-
2021/08/18 16:36:49 Error with this key: RequestError: send request failed
caused by: Post "https://kms.us-west-2%C2%A0.amazonaws.com/": dial tcp: lookup kms.us-west-2ย .amazonaws.com: no such host
Hey,
I thought it would be nice to have a fast snapshot restore option:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-fast-snapshot-restore.html#manage-fsr-enable
how do we add iops? i am getting an error for io1 volume types.
2021/10/19 12:56:32 Error with this key: AccessDeniedException: User: arn:aws:iam::3915824****:user/EC2Cryptomatic is not authorized to perform: kms:DescribeKey on resource: arn:aws:kms:us-west-2:3915824****:key/*****-048e-4be0-b497-ca151cd223c5 because no resource-based policy allows the kms:DescribeKey action.
To fix I modified the policy to include kms:DescribeKey
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1504425390448",
"Action": [
"ec2:AttachVolume",
"ec2:CopyImage",
"ec2:CopySnapshot",
"ec2:CreateSnapshot",
"ec2:CreateVolume",
"ec2:CreateTags",
"ec2:DeleteSnapshot",
"ec2:DeleteVolume",
"ec2:DescribeInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeVolumes",
"ec2:DetachVolume",
"ec2:ModifyInstanceAttribute",
"kms:DescribeKey",
"ec2:StartInstances"
],
"Effect": "Allow",
"Resource": "*"
}
]
}```
I believe it would be a good idea to skip AWS reserved tags:
aws:cloudformation:logical-id
aws:cloudformation:stack-id
aws:cloudformation:stack-name
The program fails to copy those tags:
- Let's encrypt volume vol-0x62617a696e6761
-- Take a snapshot for volume vol-0x62617a696e6761
-- Creating an encrypted volume from snap-0x776861742773207570
Problem with the instance (An error occurred (InvalidParameterValue) when calling the CreateTags operation: Value ( aws:cloudformation:stack-name ) for parameter key is invalid. Tag keys starting with 'aws:' are reserved for internal use)
If you enter a nonexistent/incorrect KMS key alias the application starts, the snapshot is created, but as the key doesn't exist the encryption fails, but for some reason this leads to the application to stalling and never exiting.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.