Agentless, cloud-native backup for Amazon AWS
Post Reply
csjol
Lurker
Posts: 2
Liked: never
Joined: Feb 21, 2020 2:33 pm
Full Name: Chris Sjol
Contact:

Problem Backing-up Encrypted AWS Instances

Post by csjol »

I have been having trouble backing up Instances that have Encrypted EBS's. Backing up to S3 errors out each time and gives the error of "Encrypted snapshots with EBS default key cannot be shared". I can't find anything in Veeam about this issue.

Can Encrypted EBS volumes be backed up? If so what is the correct method?

nielsengelen
Veeam Software
Posts: 3418
Liked: 686 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: Problem Backing-up Encrypted AWS Instances

Post by nielsengelen »

Hi, please contact support for the hotfix to this issue.
https://foonet.be

dalbertson
Veeam Software
Posts: 263
Liked: 65 times
Joined: Jul 21, 2015 12:38 pm
Full Name: Dustin Albertson
Contact:

Re: Problem Backing-up Encrypted AWS Instances

Post by dalbertson »

csjol wrote:
Feb 21, 2020 2:43 pm
I have been having trouble backing up Instances that have Encrypted EBS's. Backing up to S3 errors out each time and gives the error of "Encrypted snapshots with EBS default key cannot be shared". I can't find anything in Veeam about this issue.

Can Encrypted EBS volumes be backed up? If so what is the correct method?
Correct with what niels stated...there is a hotfix for this issue and it will be included in the next version. However, you should also look into generating your own encryption key and not using the default key as its against AWS best practices.

Using the default key prevents you from sharing snapshots
https://docs.aws.amazon.com/AWSEC2/late ... sions.html

"When you share an encrypted snapshot, you must also share the customer managed CMK used to encrypt the snapshot. […] AWS prevents you from sharing snapshots that were encrypted with your default CMK. Snapshots that you intend to share must instead be encrypted with a customer managed CMK."

It also prevents you from sharing AMIs
https://docs.aws.amazon.com/AWSEC2/late ... licit.html

"If you share an AMI with encrypted volumes, you must also share any CMKs used to encrypt them."

These are things that you wont know youll need until you do :)

You can read more about that here
https://docs.aws.amazon.com/AWSEC2/late ... ption.html

"Amazon EBS automatically creates a unique AWS managed CMK in each Region where you store AWS resources. This key has the alias alias/aws/ebs. By default, Amazon EBS uses this key for encryption. Alternatively, you can specify a symmetric customer managed CMK that you created as the default key for EBS encryption. Using your own CMK gives you more flexibility, including the ability to create, rotate, and disable keys. "

csjol
Lurker
Posts: 2
Liked: never
Joined: Feb 21, 2020 2:33 pm
Full Name: Chris Sjol
Contact:

Re: Problem Backing-up Encrypted AWS Instances

Post by csjol »

Thanks for the information from both of you. Helped me a lot in clearing up the issue.

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest