Technical Tip: Enabling EBS volume encryption of a FortiGate VM on AWS

AWS EBS disk encryption is a host-based feature, meaning it operates transparently to the FortiGate-VM OS. However, it is important to ensure that the necessary permissions and access to the KMS or other encryption keys are in place when enabling encryption.

In an existing FortiGate VM on AWS, additional steps should be followed to enable encryption of the EBS volume after the initial deployment:

1. Take a backup of the configuration file and take a snapshot of the existing, not encrypted EBS volume.

2. Create an encrypted copy from the taken snapshot of the EBS volume.

3. Create a new volume from the encrypted snapshot copy.

Note: The availability zone of the new volume should be the same as the instance availability zone.

4. Shutdown the FortiGate VM from the CLI and stop the instance from the AWS Portal.

5. Detach the unencrypted EBS volume and attach the newly created volume.

6. Turn the FortiGate instance back on.

Related documents:

• AWS services and components
• Amazon EBS encryption