How to fully encrypt CPM server root and data volumes in EBS

How to fully encrypt CPM server root and data volumes in EBS

The steps below will help you properly encrypt the CPM server root and data EBS volumes for an existing CPM server instance.

If encrypting only the data volume, it is still necessary to launch a new CPM server instance. Then during initial CPM configuration select to use an existing data volume, then choose the encrypted volume. Failure to do so will result in issues with the cpmdata self backup policy.

Note: this process will require launching a new CPM server image, similar to the AMI update process. This is required to prevent errors. The existing CPM data volume containing the backup polices and history will be retained.

This process will also update CPM to the latest version. Be sure to check the release notes of the latest version for new requirements, if any.

Please follow all steps carefully, it is recommended to create a snapshot of the CPM server data volume for your protection before proceeding.

  1. Ensure no backups, DR processes or copies to S3 are running, then stop the existing CPM server instance in EC2.
    • Do not terminate the existing instance at this time.

  2. Launch a new CPM Server instance from the AWS marketplace.
    • Be sure to select the correct image for your license.

  3. Once launched and running, stop the newly launched instance.
    • This instance will be used temporarily to create an encrypted image of the CPM root volume.

  4. Once stopped, in the EC2 console create an image of the newly launched CPM instance.

  5. In the AMIs view of EC2, make a copy of the image created in step 4.
    • It will be helpful in the next step to give this copied image a different name, or to prefix with "Encrypted".
    • Select the option to "Encrypt target EBS snapshots" and choose the desired master key.

  6. Once the copy has completed, launch an instance from this newly copied, encrypted image.
    • Do not access the instance by browser at this time.

  7. Create a snapshot of the existing "CPM Cloud Protection Manager Data" volume.
    • To be sure the correct data volume is snapshotted, double check the instance ID under "attachment information" in the volumes view. It should match the existing (not newly created) CPM server instance ID.

  8. Copy the snapshot created in step 7.
    • In the dialog, check "Encrypt this snapshot" and choose the desired master key.

  9. When the snapshot copy has completed, create a Volume from the copied, encrypted snapshot created in step 8.
    • It is helpful in this step to look for the snapshot with a description like [Copied snap-1234567890abcdef from <availability zone>] when looking for the correct snapshot.
    • In the dialog, make sure to select the same availability zone as the newly launched CPM instance.
    • Also check the size of the created volume will be at least 5 GiB
    • When finished, note the ID of the newly created volume on the "Create Volume Request Succeeded" screen.

  10. Access the newly launched CPM instance by HTTPS, enter the instance ID and License information.

  11. On step 3 of CPM server initial configuration, select "Use Existing data volume" and choose the newly encrypted CPM data volume created in step 9.

  12. Finish the CPM server configuration.
    • At this point, be sure to inspect the newly created CPM sever. You should see all existing backups and policies appear as they did before starting.
    • You can verify the CPM instance volumes now appear as encrypted in the Volumes view of the EC2 console.

  13. Finally, terminate the old, unencrypted CPM server instance and the temporary which was instance launched in step 3.


It will be necessary to follow this process again (excluding steps 7-9) when updating CPM to a new version in the future.