AWS – Encrypt Existing RDS PostgreSQL Database

If you have a postgresql database in AWS’s RDS and need to encrypt it but don’t want to recreate it and import it, this is for you (and previously me).

BE AWARE this method requires likely a ~1h window of data to be rolled over after – OR take your service offline during the process – if you can do so is the better option.

You need to consider that only certain database tiers qualify for encryption – make sure it fits you budget to introduce this. You can find that info here.

I recommend a dry run of this before you commit to encrypting.

  1. Put on the coffee, get a stress ball, put your slippers on.
  2. Login to your AWS console.
  3. Go to the IAM service.
  4. Bottom of the left hand section navigation click on ‘Encryption keys’.
  5. IMPORTANT: select the region you want to make the key available in (the region your database will be moved to or remain in after encryption).
    1. The setting for region for this feature are not in the top right as normal – they are in the header of the table displaying the keys – I had to recreate a few keys after observing this oddity.
  6. Create a key and assign it to yourself.
  7. Put your app in maintenance mode – or take it down for the rest of this process.
    1. Best to do late night, or check your google analytics for peak times.
  8. Now go to the RDS service.
  9. Find the instance you want to encrypt and create a snapshot of it
  10. Get a coffee – time varies based on instance size
  11. IMPORTANT: from this point on any new data entered into the database will need to be migrated afterwards or will be lost, we are assuming the snapshot is the source of truth.
  12. Navigate to snapshots from the left hand menu.
  13. Select the snapshot you just created and select ‘copy’ form the action menu.
  14. Give the new snapshot a name, if you don’t want to move it to a new region leave that option the same.
  15. Select Enable Encryption: YES and select ‘copy snapshot’
  16. IMPORTANT: once encrypted you cannot move snapshots between regions, and you cannot un-encrypt them.
  17. Get a coffee – time varies based on instance size
  18. Select the new encrypted snapshot and from the action menu select ‘Restore’.
  19. Select the option you want for this ‘new’ encrypted instance and launch it.
  20. You will be able to verify from the details panel that is is encrypted even while still launching.
  21. Get a coffee – time varies based on instance size.
  22. Configure your security options if you added it to a new security group.
  23. Test it via command line and any db admin tool you use – Postico is my tool of choice.
  24. Redirect all your traffic to your new instance OR ideally your staging environment to test against.
  25. QA QA QA everything.
  26. Swap over remaining services, re-enable your applications.
  27. Remove your old instances.
  28. IMPORTANT: Verify everything is how you want it before deleting your unencrypted instance, you can never go back.
  29. Party like its 1999!


Leave a Reply

Your email address will not be published. Required fields are marked *