A shared file store powered several PHP applications behind an application load balancer. The file system, about 500 GB, saw continuous activity: new files arriving, older files changing, and multiple servers reading and writing at once.
The challenge was straightforward to state but delicate to execute: move from an unencrypted Amazon EFS volume to an encrypted one, maintain full data integrity, and keep the applications online throughout.
We approached the migration as a living system rather than a one-time copy. First, we established a like-for-like encrypted EFS and linked it to the existing volume using native EFS replication. That created a near-real-time mirror capable of tracking the constant flow of changes.
To build confidence, we introduced a neutral observation point that mounted both file systems. From there, we could watch replication progress, compare directory structures, and verify that the encrypted target was converging on the live state. Once replication stabilized, we shifted traffic in a measured way: placing one application server on the encrypted volume while the other continued on the original, using load-balancer health checks as our safety net. This allowed the team to validate real application behaviour, reads, writes, and downstream workflows, on the encrypted store without risking user experience.
When it was time to finalize, we paused background tasks that might generate a last burst of writes, let replication settle, and performed a brief, targeted delta sync with rsync to capture any stragglers. With both sides aligned, we completed the cutover and returned the fleet to normal rotation, now fully on encrypted storage. Throughout, we maintained a clear rollback path, though it was not needed.
Amazon EFS with native replication
Amazon EC2 behind an Application Load Balancer
Targeted resync for final deltas
Encryption at rest on EFS, IAM-based access controls
Health checks and runtime validation via the ALB and application logs
Zero-downtime user experience: The platform remained available while storage changed under the hood.
Stronger security posture: Transparent encryption at rest without altering application logic.
Data integrity assured: Replication plus a focused delta sync ensured files and updates arrived intact.
Controlled, reversible cutover: Phased traffic shifts and health checks kept risk low and options open.
Operational simplicity: Applications continued to use the same mount paths and patterns after the move.
