Encrypting an existing MySQL/MariaDB RDS instance
Often it is necessary to convert an unencrypted RDS instance into an encrypted one. And it is usually expected that this process is done with minimum or no downtime. Unfortunately, one can only enable encryption when the instance is created. However, there is still hope, as there are a couple of workarounds to encrypt your existing data. In this article, I will discuss two different solutions to achieve this result. Solution 1: Create a snapshot and copy the snapshot to a new encrypted snapshot:
- Create a manual snapshot of the unencrypted RDS instance
- Go to Snapshots from the left panel and choose the snapshot just created
- From the Actions, choose Copy snapshot option and enable encryption
- Select the new encrypted snapshot
- Go to Actions and select Restore snapshot
- Extend the Binary Log Retention Period on the unencrypted RDS instance
- Create a Read Replica from the unencrypted RDS instance
- Stop Replication on the Read Replica and note down the Relay_Master_Log_File & Exec_Master_Log_Pos from SHOW SLAVE STATUS
- Create a manual snapshot from that Read Replica (This snapshot will be unencrypted)
- Copy that snapshot and enable encryption
- Restore that snapshot (this will create an encrypted RDS instance)
- Start an external replication from the binary log file and position mentioned in Step-3
- The binary log retention period is extended on the master RDS instance, as in RDS, binary logs will be flushed as soon as the replica executes events.
- On the master RDS instance, a replication user is created with the required privileges.
- The access of the replica RDS instance is allowed into the security group of the master RDS instance.