EBS Operations: Volume Encryption

Encrypting an existing unencrypted Amazon EBS (Elastic Block Store) volume is not directly possible; you cannot apply encryption to an already created unencrypted EBS volume. However, you can create a snapshot of the unencrypted volume and then create a new encrypted volume from that snapshot. Below is a step-by-step guide to perform this task using the AWS Command Line Interface (CLI):


  • Make sure you have the AWS CLI installed and configured with the necessary permissions to work with EBS volumes and snapshots.

  • You will need the create-snapshot, copy-snapshot, and create-volume permissions, among others.

  • Note down the ID of the unencrypted EBS volume that you want to encrypt.

To run the EC2 instance with the EBS volume attached follow this guide: How to launch a single EC2 instance via AWS CLI

Create unencrypted EBS volume

Creating an unencrypted Amazon EBS volume using the AWS CLI is a straightforward process. Here’s how you can do it:

Step 1: Create the EBS Volume

Use the create-volume command to create a new EBS volume. You will need to specify the Availability Zone in which to create the volume and the size of the volume (in GiBs).

Here's an example command to create an unencrypted 10 GiB gp2 (General Purpose SSD) volume in the us-west-2a Availability Zone:

aws ec2 create-volume --availability-zone us-east-1a --size 1 --volume-type gp2

Explanation of Parameters:

  • --availability-zone: The Availability Zone in which to create the volume.

  • --size: The size of the volume, in GiBs.

  • --volume-type: The type of volume. Common types are gp2 for General Purpose SSD, io1 for Provisioned IOPS SSD, st1 for Throughput Optimized HDD, and sc1 for Cold HDD. If you omit this parameter, the default volume type is gp2.

This command will create an unencrypted volume because we didn't specify the --encrypted parameter.

Step 2: Confirm the Volume Creation

Once the command is executed, the AWS CLI will return a JSON object with the details of the newly created volume. Ensure that the Encrypted field in the output is false, which indicates that the volume is not encrypted.

Volume encryption

  1. Create a Snapshot of the Unencrypted EBS Volume:

     aws ec2 create-snapshot --volume-id vol-xxxxxxxxxxxxxx --description "Snapshot of unencrypted volume"

    Replace vol-xxxxxxxxxxxxxx with your actual volume ID. Note down the Snapshot ID (snap-xxxxxxx) from the output.

  2. Wait for the Snapshot to Complete: You can check the status of the snapshot with the following command:

     aws ec2 describe-snapshots --snapshot-ids snap-xxxxxxxx

    Replace snap-xxxxxxxx with your snapshot ID. Wait until the state is completed.

  3. Copy the Snapshot and Encrypt It: When you copy a snapshot, you have the option to encrypt it.

     aws ec2 copy-snapshot --source-region us-east-1 --source-snapshot-id snap-xxxxxxxx --encrypted --description "Encrypted copy of snapshot"

    Replace us-east-1 with the region your snapshot is in and snap-xxxxxxxx with your actual snapshot ID. Note down the new encrypted snapshot ID from the output.

  4. Create an Encrypted EBS Volume from the Encrypted Snapshot:

     aws ec2 create-volume --snapshot-id snap-xxxxxx --availability-zone us-east-1b --encrypted

    Replace snap-xxxxxx with your new encrypted snapshot ID and us-east-1b with the availability zone where you want to create the volume.

  5. Attach the New Encrypted Volume to an Instance: Once the encrypted volume is available, you can attach it to an instance using the following command:

     aws ec2 attach-volume --volume-id vol-xxxxxxxxxxxxxx --instance-id i-xxxxxxxx --device /dev/sdf

    Replace vol-xxxxxxxxxxxxxx with your new encrypted volume ID, i-xxxxxxxx with the instance ID, and /dev/sdf with the device name you want to use.

  6. Clean Up: After verifying that the data on the new encrypted volume is intact and the volume functions as expected, you can delete the old unencrypted volume and snapshot.

     aws ec2 delete-volume --volume-id vol-xxxxxxxxxxxxxx

    Replace vol-xxxxxxxxxxxxxx with the ID of the old unencrypted volume.

    And delete the old snapshot:

     aws ec2 delete-snapshot --snapshot-id snap-xxxxxxxx

    Replace snap-xxxxxxxx with the ID of the unencrypted snapshot.

  7. (Optional) Update Your Applications or Services: If you have any applications or services that reference the old unencrypted volume, you will need to update them to point to the new encrypted volume.

This process will result in downtime if the EBS volume is currently attached to an EC2 instance that is in use, as you will have to stop the instance to detach the old volume and attach the new encrypted volume.

Important Notes:

  • Always take a backup before performing such operations.

  • There may be AWS costs associated with snapshots and volumes, so be aware of your billing and clean up any resources you don't need.

  • The new volume will have a different volume ID from the original. If your systems are configured to reference volumes by ID, you will need to update those configurations.