We have a requirement for encryption at rest for everything we deploy in AWS, including on the root volumes for HipChat Datacenter EC2 instances. Boot/root volume encryption is typically accomplished in EC2 by creating or copying an AMI and encrypting it with your KMS key, then creating an instance from that encrypted AMI.
All of the guides and documentation I've seen so far have pointed toward using Atlassian-provided AMIs for HipChat Datacenter in AWS. These AMIs and their underlying snapshots appear to be set to not allow copying, which is the default. As a result, there's no way to copy them and encrypt them.
Does anyone have a workaround for encrypting the root volumes of HipChat Datacenter EC2 instances? Alternatively, the maintainers of the AMIs could consider opening up the permissions on the snapshots backing the AMIs to allow them to be copied.
Thanks for the followup, Avinoam! I've commented on HCPUB-1348 as you suggested.
I understand that Atlassian may not be prepared to support AWS EBS volume encryption with HipChat Datacenter from a performance perspective, but this is a requirement for a number of our use cases. Even if it's not completely supported, opening up permissions on the AMIs to allow them to be copied could potentially allow us to fill these use cases. Allowing users to create their own copies of these AMIs would also allow us to deploy HipChat Datacenter in more regions than the four in which AMIs are currently provided, which is important for some of our use cases as well.