So I looked into your suggestion of using the "amazon-ebs support for
encrypted volumes" and found that it doesnt really work as one might
expect. The "encrypted" parameter is only used when calling copy-image
which inturn is only called if you provide a list of additional regions to
copy the created AMI to. AWS actually does not support creating an
encrypted boot volume from a running instance which is how amazon-ebs
works. To create an encrypted volume, one needs to take a snapshot of the
unencrypted volume and make a copy of it encrypting during the copy
process. From that then encrypted snapshot a new encrypted volume can be
The amazon-ebs docs for 'encrypted' parameter which says "encrypted
(boolean) - Indicates whether to encrypt the volume or not" is misleading
as written. It should be updated to say something like "encrypted (boolean)
- Indicates whether to encrypt the volume when copying the AMI to
additional regions if specified in the 'ami_regions' property.
amazon-ebs could be extended to create an encrypted version by taking a
snapshot of any volumes, then creating new encrypted volumes from the
snapshots, stopping the instance, detaching the old volumes, attaching the
new encrypted volumes and then continuing with the AMI creation, but that
would be way too much effort and complexity I think, much less than the
post-processor I wrote.
Thanks for the suggestion
On Wednesday, September 14, 2016 at 3:18:34 AM UTC-4, Rickard von Essen
> Why don't you use the amazon-ebs support for encrypted volumes?
> 1) You can build in parallel via launching multiple go routines inside
> your post-processor.
> 2) You should have "keep_input_artifact": true and your post-processor
> should handle not removing the input artifact. See
> On 13 September 2016 at 17:27, Scott Kellish <skel...@comcast.net
>> New to packer and go for that matter. I created a post-processor to
>> generate encrypted AMI's following creation of unencrypted AMI by the AWS
>> builder. Its working and I assumed based on what I read that it made sense
>> to do this as a post-processing function rather than modifying the existing
>> 'ebs' builder but I see some limitations surrounding post-processing so
>> wanted to ask here
>> 1. When I have the AWS builder copy the AMI to other regions via
>> ami_regions, post-processor gets called once with the list of AMI's
>> created. Wouldnt it be more efficient for packer to call post-processor
>> separately for the original and each copy so they can run in parallel?
>> 2. At least for the aws artifact, theres no way to specify multiple AMI's
>> per region so my post-processor can't return the id of the encrypted AMI it
>> encrypted. Not being able to return the AMI basically breaks the
>> post-processing pipeline (we keep both the unencrypted and encrypted) amis
>> I guess I'm not really asking a question here, but any input/comments
>> would be appreciated.
>> This mailing list is governed under the HashiCorp Community Guidelines -
>> https://www.hashicorp.com/community-guidelines.html. Behavior in
>> violation of those guidelines may result in your removal from this mailing
>> GitHub Issues: https://github.com/mitchellh/packer/issues
>> IRC: #packer-tool on Freenode
>> You received this message because you are subscribed to the Google Groups
>> "Packer" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> To view this discussion on the web visit
>> For more options, visit https://groups.google.com/d/optout.
This mailing list is governed under the HashiCorp Community Guidelines -
https://www.hashicorp.com/community-guidelines.html. Behavior in violation of
those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.