Creating a Boot Partition on a New AWS Volume
If a Linux VM in AWS is not running CentOS 6.x, RHEL 6.x, or Amazon Linux, we recommend that you create a boot partition on the existing root volume and then boot from the root volume. Because the root volume will be larger than a new volume created exclusively as a boot volume, AWS will assign more IOPS (Input/Output Operations per Second) to the root volume than to a new volume. This usually results in faster encryption speeds due to the higher number of IOPS available. This method is described in
If the VM is running CentOS 6.x, RHEL 6.x, or Amazon Linux, or if you do not want to add a boot partition to your root volume, you can create a new volume that will become the boot partition. To do so:
-
Create and add another volume from EBS to the existing instance. For example, say the current Linux is installed on device
/dev/sda1and the GRUB stage1 is also installed on/dev/sda1. This is a typical Linux installation. Find out the space required by the/bootsubtree:# du -sh /boot
In general, the space provided should be twice the space used by
/bootplus 100MB. So if/bootuses 200MB, the space should be (200MB * 2) + 100 MB = 500MB. -
Run the script
aws-prepare-boot.shthat is installed as part of the HyTrust DataControl Policy Agent package. For example, if you add a new device named/dev/xvdf, you would enter:# /opt/hcs/bin/aws-prepare-boot.sh /dev/xvdf
-
Power OFF the AWS instance.
- From the EC2 console, detach the original volume and the new volume from the VM instance.
-
Reattach both volumes but with names exchanged. So the new volume should be added as
/dev/sda1and the original volume should be added as/dev/sdf. This changes the boot device for the VM instance.Tip: Note the use of
/dev/sda1and not/dev/sda, as the EC2 console typically uses this name for the OS boot disk.
What to Do Next
Verify the configuration as described in Verifying the Current VM Configuration and then encrypt the boot device as described in Encrypting Linux System Devices.
