Koha data volume not encrypted at rest on Standard tier

Overview

On Standard tier instances, the dedicated EBS data volume (/dev/xvdf, mounted at /mnt/kohadata) was created without encryption. Library data stored on this volume — including the Koha MySQL database, uploaded files, and configuration — was not protected by encryption at rest.

Free and Basic tier instances are not affected as they do not have a separate data volume in builds prior to this release. Enterprise tier uses Amazon Aurora (managed encryption) and is not affected.

Affected Versions

• Koha Cloud Standard Tier AMI builds released before 2026-05-29.
• Existing stacks launched before this date retain unencrypted data volumes. Upgrading the AMI does not retroactively encrypt existing volumes.

Remediation

Option 1: Launch a New Stack from the Patched AMI

New stacks launched from Koha v25.11.04-1 (AMI build 2026-05-29) or later will have the data volume encrypted with a KMS CMK and automatic annual key rotation enabled.

1. Launch a new CloudFormation stack using the updated template from AWS Marketplace.
2. Migrate your data from the old instance. See the migration guide for step-by-step instructions.
3. Terminate the old stack after verifying the new instance is working correctly.

Option 2: Encrypt an Existing Volume (Advanced)

It is possible to encrypt an existing volume by taking a snapshot and copying it with encryption enabled, then swapping the volume. This procedure requires planned downtime and carries risk if performed incorrectly. We do not recommend doing this unassisted — contact [email protected] and we will coordinate the migration with you.

Option 3: Contact Support

If you are unsure how to apply the above steps, contact us at [email protected] or use the contact form.

Timeline

References

• How to Migrate Your Koha Database
• AWS EBS Encryption Documentation
• Contact KohaSupport