professional-service/examples/iaas-volume-encryption
2026-07-01 13:40:32 +02:00
..
.terraform.lock.hcl terraform: Add provider blocks to all examples 2026-05-06 12:05:08 +02:00
010-provider.tf examples: fmt examples 2026-06-23 13:14:28 +02:00
020-config.tf examples: fmt examples 2026-06-23 13:14:28 +02:00
030-service-account.tf examples: fmt examples 2026-06-23 13:14:28 +02:00
040-kms.tf examples: fmt examples 2026-06-23 13:14:28 +02:00
050-volume.tf examples: fmt examples 2026-06-23 13:14:28 +02:00
060-server.tf examples: fmt examples 2026-06-23 13:14:28 +02:00
cloud-init.yaml fix(cloud-init): remove license header for cloud-init files 2026-06-26 08:56:36 +02:00
MAINTAINERS.md chore(example): add iaas volume encryption 2026-04-16 08:24:00 +02:00
README.md chore(example): add iaas volume encryption 2026-04-16 08:24:00 +02:00
stackit.docs.yaml hackathon: work on idea 2026-07-01 13:40:32 +02:00

IaaS Volume Encryption (Terraform)

Terraform Examples

KMS & IaaS Resources to deploy a encrypted Block Storage Volume

Migrations Steps to move data von non encrypted Volumes to a encrypted Volume

  1. Create Backup of non encrypted Volume

There are two options to perform a Backup the first one is to reference a volume directly:

stackit volume backup create --source-type volume --source-id <volumeId> --name backup01

This does block all operations on the Volume such as extending the Volume until the backup is done.

Another Option is to first create a Snapshot and make a Backup von this Snapshot:

stackit volume backup create --source-type snapshot --source-id <snapshotId> --name backup01
  1. Create new encrypted Volume Use the provided Terraform to deploy a new encrypted Volume with the same size (or larger) then the original Volume.

  2. Create new encrypted Volume from Backup Use the Backup as a source for a new encrypted Volume.

resource "stackit_volume" "encrypted" {
  project_id        = var.STACKIT_PROJECT_ID
  name              = "encrypted_volume"
  availability_zone = var.zone
  performance_class = "storage_premium_perf6"
  size              = 4
  source = {
    type = "backup"
    id = "<backupId>"
  }
  encryption_parameters = {
    kek_key_id = stackit_kms_key.volume-key.key_id
    kek_key_version = 1
    kek_keyring_id = stackit_kms_keyring.volume.keyring_id
    service_account = "<serviceAccount>@sa.stackit.cloud"
  }
}
  1. Recreate VM or attach volume to existing VM
stackit server create --availability-zone eu01-3 --machine-type c2i.2 --boot-volume-source-type volume --boot-volume-source-id <volumeId> --network-id <networkId> -n server1