How to fully encrypt CPM server root and data volumes in EBS
The steps below will help you properly
encrypt the CPM server root and data EBS volumes for an existing CPM server instance.
If encrypting only the data volume, it is still necessary to launch a new CPM server instance. Then during initial CPM configuration select to use an existing data volume, then choose the encrypted volume. Failure to do so will result in issues with the cpmdata self backup policy.
Note: this process will require launching a new CPM server image, similar to the AMI update process. This is required to prevent errors.
existing CPM data volume containing the backup polices and history will be retained.
This process will also update CPM to the latest version. Be sure to check the release notes of the latest version for new requirements, if any.
Please follow all steps
carefully, it is recommended to create a snapshot of the CPM server data volume for your protection before proceeding.
no backups, DR processes or copies to S3 are running, then stop the existing CPM server instance in EC2.
Launch a new CPM Server instance from the
not terminate the existing instance at this time.
Once launched and running, stop the newly launched instance.
- Be sure to select the correct image for your license.
Once stopped, in the EC2 console create an
image of the newly launched CPM instance.
- This instance will be used temporarily to create an encrypted image of the CPM root volume.
In the AMIs view of EC2, make a copy of the image created in step
Once the copy has completed, launch an
this newly copied, encrypted image.
- It will be helpful in the next step to give this copied image a different name, or to prefix with "Encrypted".
- Select the option to
"Encrypt target EBS snapshots" and choose the desired master key.
snapshot of the
existing "CPM Cloud Protection Manager Data" volume.
not access the instance by browser at this time.
Copy the snapshot created in step
sure the correct data volume is snapshotted, double check the instance ID under "attachment information" in the volumes view. It should match the existing (not newly created) CPM server instance ID.
When the snapshot copy has
completed, create a Volume from the copied, encrypted snapshot created in step 8.
the dialog, check "Encrypt this snapshot" and choose the desired
- It is helpful in this step to look for the snapshot with a description like
[Copied snap-1234567890abcdef from <availability zone>]
when looking for the correct snapshot.
Access the newly launched CPM
instance by HTTPS, enter the instance ID and License information.
the dialog, make sure to select the same availability zone as the newly
launched CPM instance.
check the size of the created volume will be at least 5 GiB
finished, note the ID of the newly created volume on the "Create Volume
Request Succeeded" screen.
On step 3 of CPM server initial configuration, select "Use Existing data volume" and choose the newly
encrypted CPM data volume created in step 9.
Finish the CPM server
Finally, terminate the old,
unencrypted CPM server instance and the temporary which was instance launched in
this point, be sure to inspect the newly created CPM sever. You should see all
existing backups and policies appear as they did before starting.
can verify the CPM instance volumes now appear as encrypted in the Volumes view
of the EC2 console.
It will be necessary to follow this process again (excluding steps 7-9) when updating CPM to a new version in the future.
Recommended instance sizes and volume types for CPM Server instances
EC2 Instance sizing Here are the recommended instance sizes for CPM Server instances: Up to 200 instances - t3.medium Up to 500 instances - m5.large, c5.large, R5.large, C6i.large, R6i.large, M6i.large, C7i.large, M7i.large Up to 1000 instances - ...
User Data may be restored incorrectly during instance recovery
Issue: When using an executable script in “User Data” during an instance recovery, the script does not appear on the restored instance as intended. Example: Before instance restore: After instance restore: Fix: If you face this issue, please upgrade ...
N2WS 3.1.x - Warning 'Error verifying access to EBS API in region: us-east-1. CPM will not use read from snapshot for instances in this region'
Issue summary When running copy to S3 on version 3.1 it might raise the following warning. Issue description and troubleshooting This warning can be caused by permission issues, communication or lack of EBS Direct API endpoint in target region. In ...
Cross-account instance recovery with CPM_CLI may not retain instance’s attached volumes
When performing cross-account instance recovery of an instance with more than one volume, using CPM CLI, CPM may fail to recover the instance’s attached volumes . The instance will get created only with its root volume and no error message will ...
Resizing the cpmdata volume
Resizing the cpmdata volume is done like any other ec2 instance. The general procedure can be found here - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/recognize-expanded-volume-linux.html IMPORTANT - Before extending a file system that ...