Skip to content
Logo Theodo

Need to encrypt your existing AWS RDS database? Follow the guide!

Vincent Larrat6 min read

AWS Cloud Security

Let’s begin by a little game: let me guess how you reached this article, OK?

You were working on a small project and wanted to deploy it on AWS, maybe it was your first cloud try. You configured basic database instance on RDS, and as there were a lot of ununderstandable options, you kept default configuration (really, who cares about configuring tools when only working on a POC?).

Then your project got bigger and you began to store more sensitive data. As you are quite aware of security issues, you wanted to check on the AWS console that your database was well encrypted.

But, hell! Your database was completely unencrypted! Moreover, you realized there was no option to encrypt your existing database on the fly…

Unencrypted RDS Database on AWS console

Did I guess well :)?

No? Argh…

Well, if you’re still reading, I must be close to the truth!

The problem here is that database encryption is not ticked on default RDS configuration. Moreover, depending on which instance size you chose during database instantiation, encryption was maybe simply not available at all!

Don’t panic! In this walk-through guide, I will list all prerequisites needed for encryption on an RDS instance and cover all steps to follow to encrypt your database without losing any data.

Warning: as we will have to create a fresh new RDS instance to encrypt it, there will be an unavoidable downtime, whose duration will depend on your database size.

NB: We could tackle this trade-off by using a more complex technique (by using replica databases, and switching between main and backup databases during backup/restore operations covered in this tutorial). If you would like to see such a more advanced tutorial in the future, feel free to ask for it in comments ;).

Ready! Set! Go!

Get ready for RDS database encryption!


OK, now you are ready to deep dive into database encryption!

We will start by backing up your existing database, then we will create a new RDS database and restore our backup file to it. Let’s start!

Prepare your existing database for encryption

Here, we are going to back up our existing database and encrypt this snapshot during backup, using our previously generated KMS key. To reach this goal, follow these steps:

Take snapshot on RDS database

Confirm snapshot of RDS database

List RDS database snapshots before encryption

Copy snapshot of RDS database

Details of snapshot copy of RDS database

This step is crucial for encryption: it will indicate AWS to create an encrypted database when restoring from this snapshot.

Back up step is now cleared. We can then work on the restoration step and…

Create your new encrypted database

Here, we are going to create a fresh new encrypted database with data from our previous database by simply restoring our snapshot. As usual, simply follow these steps:

Create new RDS database

Confirm new RDS database creation

List RDS database snapshots after encryption

Restore snapshot from RDS database

Give name to restored RDS snapshot

Encryption details of RDS snapshot restoration

Encrypted RDS Database on AWS console

And voila!

Your new RDS database is now totally encrypted, contains the same data as your former one and is reachable through the same ARN.

Well done!

Liked this article?