Enable a Linux AMI for NitroTPM

To enable NitroTPM for an instance, you must launch the instance using an AMI with NitroTPM enabled. You must configure your Linux AMI with NitroTPM support when you register it. You can't configure NitroTPM support later on.

For the list of Windows AMIs that are preconfigured for NitroTPM support, see Requirements for using NitroTPM with Amazon EC2 instances.

You must create an AMI with NitroTPM configured by using the RegisterImage API. You can't use the Amazon EC2 console or VM Import/Export.

To enable a Linux AMI for NitroTPM

Launch a temporary instance with your required Linux AMI. Note the ID of its root volume, which you can find in the console on the Storage tab for the instance.
After the instance reaches the running state, create a snapshot of the instance's root volume. You can use the console or the following create-snapshot command.
```
aws ec2 create-snapshot  \
    --volume-id vol-1234567890EXAMPLE \
    --description "Snapshot of the root volume"
```

Register the snapshot you created as an AMI. You must use the register-image command. For --tpm-support, specify v2.0. For --boot-mode, specify uefi. In the block device mapping, specify the snapshot that you created for the root volume.


aws ec2 register-image \
    --name my-image \
    --boot-mode uefi \
    --architecture x86_64 \
    --root-device-name /dev/xvda \
    --block-device-mappings DeviceName=/dev/xvda,Ebs={SnapshotId=snapshot_id} \
    --tpm-support v2.0

The following is example output.


{
    "ImageId": "ami-0123456789example"
}

Terminate the temporary instance that you launched in step 1.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Requirements

Verify that an AMI is enabled for NitroTPM