How to fully encrypt CPM server root and data volumes in EBS
The steps below will help you properly
encrypt the CPM server root and data EBS volumes for an existing CPM server instance.
If encrypting only the data volume, it is still necessary to launch a new CPM server instance. Then during initial CPM configuration select to use an existing data volume, then choose the encrypted volume. Failure to do so will result in issues with the cpmdata self backup policy.
Note: this process will require launching a new CPM server image, similar to the AMI update process. This is required to prevent errors.
existing CPM data volume containing the backup polices and history will be retained.
This process will also update CPM to the latest version. Be sure to check the release notes of the latest version for new requirements, if any.
Please follow all steps
carefully, it is recommended to create a snapshot of the CPM server data volume for your protection before proceeding.
no backups, DR processes or copies to S3 are running, then stop the existing CPM server instance in EC2.
Launch a new CPM Server instance from the
not terminate the existing instance at this time.
Once launched and running, stop the newly launched instance.
- Be sure to select the correct image for your license.
Once stopped, in the EC2 console create an
image of the newly launched CPM instance.
- This instance will be used temporarily to create an encrypted image of the CPM root volume.
In the AMIs view of EC2, make a copy of the image created in step
Once the copy has completed, launch an
this newly copied, encrypted image.
- It will be helpful in the next step to give this copied image a different name, or to prefix with "Encrypted".
- Select the option to
"Encrypt target EBS snapshots" and choose the desired master key.
snapshot of the
existing "CPM Cloud Protection Manager Data" volume.
not access the instance by browser at this time.
Copy the snapshot created in step
sure the correct data volume is snapshotted, double check the instance ID under "attachment information" in the volumes view. It should match the existing (not newly created) CPM server instance ID.
When the snapshot copy has
completed, create a Volume from the copied, encrypted snapshot created in step 8.
the dialog, check "Encrypt this snapshot" and choose the desired
- It is helpful in this step to look for the snapshot with a description like
[Copied snap-1234567890abcdef from <availability zone>]
when looking for the correct snapshot.
Access the newly launched CPM
instance by HTTPS, enter the instance ID and License information.
the dialog, make sure to select the same availability zone as the newly
launched CPM instance.
check the size of the created volume will be at least 5 GiB
finished, note the ID of the newly created volume on the "Create Volume
Request Succeeded" screen.
On step 3 of CPM server initial configuration, select "Use Existing data volume" and choose the newly
encrypted CPM data volume created in step 9.
Finish the CPM server
Finally, terminate the old,
unencrypted CPM server instance and the temporary which was instance launched in
this point, be sure to inspect the newly created CPM sever. You should see all
existing backups and policies appear as they did before starting.
can verify the CPM instance volumes now appear as encrypted in the Volumes view
of the EC2 console.
It will be necessary to follow this process again (excluding steps 7-9) when updating CPM to a new version in the future.