Perform the following steps to encrypt an existing database:
- You must first take a snapshot of your existing unencrypted database
- Using this snapshot, you can then create a copy of it and enable encryption on the copy
- Once you have the encrypted copy of the snapshot, you can create a new database from it
- The new database generated from the encrypted snapshot will now also be encrypted
When using encryption within RDS, it is recommended that you also enable backups, and back up frequently. The reason for this is that your database could be changed into a terminal state if the KMS CMK selected during the encryption process is disabled. When in a terminal state, the database is no longer recoverable. AWS RDS will not be able to read or write to the database without having access to the KMS Key. If your RDS instance did enter a terminal state, then the only solution to gain access to the database again would be to restore from a backup. However, you would still need access to the KMS key, so if it was disabled, you could simply re-enable it. If it was deleted altogether, then all data would be lost and you would no longer be able to access the database.
When using RDS encryption, you should be aware of some of the limitations that exists, other than the point of only being able to enable encryption during the RDS's creation.
Once you have enabled encryption on a database, the process cannot be reversed, so once it is encrypted, it will always remain encrypted, meaning that you can't disable encryption at any point. As mentioned previously, all backups and snapshots that are taken of an encrypted database are also encrypted.
One final point to make on RDS encryption is that although it is available on all of the database engines that RDS offers, and across all regions, other than China (Beijing), it is not available across all instance types and classes. The following tables show the currently supported options of these:
