How to fully encrypt CPM server root and data volumes in EBS
The steps below will help you properly
encrypt the CPM server root and data EBS volumes for an existing CPM server instance.
If encrypting only the data volume, it is still necessary to launch a new CPM server instance. Then during initial CPM configuration select to use an existing data volume, then choose the encrypted volume. Failure to do so will result in issues with the cpmdata self backup policy.
Note: this process will require launching a new CPM server image, similar to the AMI update process. This is required to prevent errors.
existing CPM data volume containing the backup polices and history will be retained.
This process will also update CPM to the latest version. Be sure to check the release notes of the latest version for new requirements, if any.
Please follow all steps
carefully, it is recommended to create a snapshot of the CPM server data volume for your protection before proceeding.
no backups, DR processes or copies to S3 are running, then stopthe existing CPM server instance in EC2.
not terminate the existing instance at this time.
Launch a newCPM Server instance from the
Be sure to select the correct image for your license.
Once launched and running, stopthe newly launched instance.
This instance will be used temporarily to create an encrypted image of the CPM root volume.
Once stopped, in the EC2 console create an
image of the newly launched CPM instance.
In the AMIs view of EC2, make a copyof the image created in step
It will be helpful in the next step to give this copied image a different name, or to prefix with "Encrypted".
Select the option to
"Encrypt target EBS snapshots" and choose the desired master key.
Once the copy has completed, launch an
this newly copied, encrypted image.
not access the instance by browser at this time.
existing "CPM Cloud Protection Manager Data" volume.
sure the correct data volume is snapshotted, double check the instance ID under "attachment information" in the volumes view. It should match the existing (not newly created) CPM server instance ID.
Copythe snapshot created in step
the dialog, check "Encrypt this snapshot" and choose the desired
When the snapshot copy has
completed,create a Volumefrom the copied, encrypted snapshot created in step 8.
It is helpful in this step to look for the snapshot with a description like
[Copied snap-1234567890abcdef from <availability zone>]
when looking for the correct snapshot.
the dialog, make sure to select the same availability zone as the newly
launched CPM instance.
check the size of the created volume will be at least 5 GiB
finished, note the ID of the newly created volume on the "Create Volume
Request Succeeded" screen.
Access the newly launched CPM
instance by HTTPS, enter the instance ID and License information.
On step 3 of CPM server initial configuration, select "Use Existing data volume" and choose the newly
encrypted CPM data volume created in step 9.
Finish the CPM server
this point, be sure to inspect the newly created CPM sever. You should see all
existing backups and policies appear as they did before starting.
can verify the CPM instance volumes now appear as encrypted in the Volumes view
of the EC2 console.
Finally, terminate the old,
unencrypted CPM server instance and the temporary which was instance launched in
It will be necessary to follow this process again (excluding steps 7-9) when updating CPM to a new version in the future.