Troubleshooting Amazon EC2 Boot Volume Encryption Parent topic

There is one known issue with Amazon EC2 boot volume encryption that this topic addresses.
When initializing boot volume encryption on an Amazon EC2 instance, SecureCloud automatically changes the Amazon kernel identifier (kernel ID) to a specific regional kernel ID. Then SecureCloud begins to encrypt the instance. However, sometimes SecureCloud does not perform this step, and the status of the instance may change to "Encrypted" without actually performing encryption.
The following table shows the regions and their associated kernel IDs.
Region ID
Region Description
Kernel ID
us-east-1
US East (Northern Virginia) Region
aki-b4aa75dd
us-west-1
US West (Northern California) Region
aki-8b655dff
us-west-2
US West (Oregon) Region
aki-f837bac8
ap-northeast-1
Asia Pacific (Tokyo) Region
aki-40992841
ap-southeast-1
Asia Pacific (Singapore) Region
aki-fa1354a8
ap-southeast-2
Asia Pacific (Sydney) Region
aki-3d990e07
sa-east-1
South America (Sao Paulo) Region
aki-c88f51d5
eu-west-1
EU (Ireland) Region
aki-8b655dff
To determine whether this issue has occurred, go to the Amazon AWS Management Console and verify that the kernel ID of the affected instance matches the regional kernel ID appropriate to it above.
troubleshoot_aki_aws_console.png
If it does not, perform the following steps to manually change the kernel ID and resolve this issue.

Procedure

  1. Download and install Amazon EC2 API Tools.
    Go to the following link to download the tools and for instructions about using and installing them:
  2. Stop the affected Amazon EC2 instance from the Amazon AWS Management Console.
  3. Open a command prompt, and change the disk to the directory where you installed Amazon EC2 API Tools.
  4. Execute the following command to modify the instance attribute of the kernel ID to the appropriate regional kernel ID.
    ec2-modify-instance-attribute <instance_id> --kernel <kernel_id> --region <region_id>
    • <instance_id>: This value is the instance ID for the affected instance from the Amazon AWS Management Console.
      Example: i-627deb34
    • <kernel_id>: This value is the kernel ID for the appropriate region of the Amazon EC2 instance.
      Example: aki-fa1354a8
    • <kernel_id>: This value is the
      Example: ap-southeast-1
    This is a complete example command:
    ec2-modify-instance-attribute i-627deb34 --kernel aki-fa1354a8 --region ap-southeast-1
  5. Execute the following command to start the instance.
    ec2-start-instances <instance_id> --region <region_id>
    This is a complete example command:
    ec2-start-instances i-627deb34 --region ap-southeast-1
  6. Go to the Amazon AWS Management Console and verify that the kernel ID for the affected instance has changed.