How do I take an encrypted snapshot of an unencrypted Amazon RDS DB instance?
I turned on encryption on an unencrypted Amazon Relational Database Service (Amazon RDS) DB instance and want to take an encrypted snapshot.
Resolution
You can only encrypt an Amazon RDS DB instance when you create it. However, you can add encryption when you copy RDS DB snapshots or restore Aurora DB cluster snapshots.
For Amazon RDS for MySQL, Oracle, SQL Server, PostgreSQL, or MariaDB, you can encrypt a copy of an unencrypted snapshot. Make sure to choose Enable encryption. After Amazon RDS encrypts the DB snapshot, the Encrypted status field changes to the Yes state. You can use the encrypted DB snapshot to restore the DB instance from the DB snapshot.
For Amazon Aurora, encryption isn't available when you copy the DB cluster snapshot. To take an encrypted snapshot, first restore the unencrypted DB cluster snapshot. Make sure to choose Enable encryption under Settings, and then specify an AWS Key Management Service (AWS KMS) encryption key. Then, take a snapshot of the restored DB cluster. For more information, see Limitations of Amazon Aurora encrypted DB clusters.
Related information
Creating a DB snapshot for a Single-AZ DB instance for Amazon RDS
- Language
- English
Hi,
I have an RDS instance is running in production already which isn't encrypted. I tried to create a snapshot from it and follow the steps in the tutorial but I get an error "Copying unencrypted cluster with encryption is not supported". It looks like a chicken-egg problem. I want to encrypt snapshot but I can't do it because the snapshot was made from unencrypted cluster.
Could you recommend something?
Hi Team, We are getting below error "Copying unencrypted cluster with encryption is not supported" and do we resolve this issue?
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
