How to Encrypt Unencrypted EBS Volumes in AWS Using KMS and Snapshots


2 views

Many AWS users face this common compliance issue - existing EBS volumes created before encryption became standard remain unencrypted. While AWS now enables encryption by default for new volumes, the existing ones require manual intervention.

The most reliable method involves creating encrypted copies of your unencrypted volumes through snapshots. Here's why this approach works best:

  • Minimal downtime (can be done with running instances)
  • Preserves all data and metadata
  • Allows verification before deleting originals
  • Works with both GP2 and GP3 volume types

Here's the complete workflow with AWS CLI examples:

# First, create a snapshot of the unencrypted volume
aws ec2 create-snapshot \
    --volume-id vol-1234567890abcdef0 \
    --description "Pre-encryption snapshot"

# Wait for snapshot completion (check status)
aws ec2 describe-snapshots \
    --snapshot-ids snap-1234567890abcdef0

# Create encrypted copy from the snapshot
aws ec2 copy-snapshot \
    --source-snapshot-id snap-1234567890abcdef0 \
    --source-region us-east-1 \
    --encrypted \
    --kms-key-id alias/aws/ebs \
    --description "Encrypted copy"

For environments with numerous volumes, consider this Python script using Boto3:

import boto3
from datetime import datetime

def encrypt_ebs_volume(volume_id, kms_key_id='alias/aws/ebs'):
    ec2 = boto3.client('ec2')
    
    # Create snapshot
    snapshot = ec2.create_snapshot(
        VolumeId=volume_id,
        Description=f'Encryption prep {datetime.now().isoformat()}'
    )
    
    # Wait for snapshot completion
    waiter = ec2.get_waiter('snapshot_completed')
    waiter.wait(SnapshotIds=[snapshot['SnapshotId']])
    
    # Create encrypted copy
    encrypted_snap = ec2.copy_snapshot(
        SourceSnapshotId=snapshot['SnapshotId'],
        SourceRegion='us-east-1',
        Encrypted=True,
        KmsKeyId=kms_key_id
    )
    
    return encrypted_snap['SnapshotId']

After creating your encrypted volume:

  1. Create new volume from encrypted snapshot
  2. Detach old volume from instance
  3. Attach new encrypted volume using same device name
  4. Verify application functionality
  5. Delete old unencrypted resources (only after confirmation)

Performance Impact: Encryption adds minimal overhead (<1% for most workloads)
Cost Factors: You'll incur storage costs for both versions during migration
IAM Permissions: Ensure roles have kms:Encrypt, kms:Decrypt, and ec2:CopySnapshot

Many AWS users face the challenge of migrating unencrypted EBS volumes to encrypted ones, especially when complying with new security policies requiring "encryption at rest." AWS doesn't provide direct encryption for existing volumes, but we have reliable workarounds.

The standard approach involves creating encrypted copies of unencrypted volumes. Here's the high-level process:

1. Create snapshot of unencrypted volume
2. Copy snapshot with encryption enabled
3. Create new encrypted volume from snapshot
4. Attach new volume to instance

Let's walk through the complete CLI workflow with concrete examples:

# Step 1: Create snapshot of unencrypted volume
aws ec2 create-snapshot \
    --volume-id vol-1234567890abcdef0 \
    --description "Pre-encryption snapshot"

# Step 2: Copy snapshot with encryption
aws ec2 copy-snapshot \
    --source-region us-west-2 \
    --source-snapshot-id snap-0a1b2c3d4e5f6g7h8 \
    --encrypted \
    --kms-key-id alias/aws/ebs

For volumes attached to running instances, consider this alternative method:

# Stop the instance (if acceptable)
aws ec2 stop-instances --instance-ids i-1234567890abcdef0

# Create image (AMI) with encryption
aws ec2 create-image \
    --instance-id i-1234567890abcdef0 \
    --name "Encrypted-AMI" \
    --block-device-mappings '[{"DeviceName":"/dev/sda1","Ebs":{"Encrypted":true}}]'

After migration, always verify the encryption status:

aws ec2 describe-volumes \
    --volume-ids vol-9876543210fedcba \
    --query 'Volumes[*].Encrypted'

Remember to:

  • Test the new encrypted volume before deleting old resources
  • Update any automation scripts referencing old volume IDs
  • Consider cost implications of snapshot storage during transition

For root volumes, the process differs slightly:

# Create encrypted AMI from running instance
aws ec2 create-image \
    --instance-id i-1234567890abcdef0 \
    --name "Encrypted-Root-AMI" \
    --block-device-mappings '[{"DeviceName":"/dev/xvda","Ebs":{"Encrypted":true}}]'

Note that you'll need to launch new instances from this AMI rather than attaching volumes to existing instances.