I have been having trouble backing up Instances that have Encrypted EBS's. Backing up to S3 errors out each time and gives the error of "Encrypted snapshots with EBS default key cannot be shared". I can't find anything in Veeam about this issue.
Can Encrypted EBS volumes be backed up? If so what is the correct method?
-
csjol
- Lurker
- Posts: 2
- Liked: never
- Joined: Feb 21, 2020 2:33 pm
- Full Name: Chris Sjol
- Contact:
-
nielsengelen
- Product Manager
- Posts: 5635
- Liked: 1181 times
- Joined: Jul 15, 2013 11:09 am
- Full Name: Niels Engelen
- Contact:
Re: Problem Backing-up Encrypted AWS Instances
Hi, we currently don't support backup for volumes using the default EBS key.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
GitHub: https://github.com/nielsengelen
-
dalbertson
- Veeam Software
- Posts: 492
- Liked: 175 times
- Joined: Jul 21, 2015 12:38 pm
- Full Name: Dustin Albertson
- Contact:
Re: Problem Backing-up Encrypted AWS Instances
Correct with what niels stated...there is a hotfix for this issue and it will be included in the next version. However, you should also look into generating your own encryption key and not using the default key as its against AWS best practices.csjol wrote: ↑Feb 21, 2020 2:43 pm I have been having trouble backing up Instances that have Encrypted EBS's. Backing up to S3 errors out each time and gives the error of "Encrypted snapshots with EBS default key cannot be shared". I can't find anything in Veeam about this issue.
Can Encrypted EBS volumes be backed up? If so what is the correct method?
Using the default key prevents you from sharing snapshots
https://docs.aws.amazon.com/AWSEC2/late ... sions.html
"When you share an encrypted snapshot, you must also share the customer managed CMK used to encrypt the snapshot. […] AWS prevents you from sharing snapshots that were encrypted with your default CMK. Snapshots that you intend to share must instead be encrypted with a customer managed CMK."
It also prevents you from sharing AMIs
https://docs.aws.amazon.com/AWSEC2/late ... licit.html
"If you share an AMI with encrypted volumes, you must also share any CMKs used to encrypt them."
These are things that you wont know youll need until you do
You can read more about that here
https://docs.aws.amazon.com/AWSEC2/late ... ption.html
"Amazon EBS automatically creates a unique AWS managed CMK in each Region where you store AWS resources. This key has the alias alias/aws/ebs. By default, Amazon EBS uses this key for encryption. Alternatively, you can specify a symmetric customer managed CMK that you created as the default key for EBS encryption. Using your own CMK gives you more flexibility, including the ability to create, rotate, and disable keys. "
Dustin Albertson | Director of Product Management - Cloud & Applications | Veeam Product Management, Alliances
-
csjol
- Lurker
- Posts: 2
- Liked: never
- Joined: Feb 21, 2020 2:33 pm
- Full Name: Chris Sjol
- Contact:
Re: Problem Backing-up Encrypted AWS Instances
Thanks for the information from both of you. Helped me a lot in clearing up the issue.
Who is online
Users browsing this forum: No registered users and 1 guest