How to encrypt EBS volume

Sypalo.com

In this article, I will show you how to encrypt existing EBS volume using AWS web portal or PowerShell.

  • Go to https://console.aws.amazon.com/ec2 and navigate to instances
  • Stop instance which volume you want to encrypt
    Stop instance
  • Expand the bottom pane and switch to the «Storage» tab, so you see a link to the instance`s volume at the bottom of the page
    Get attached volume id
  • Click on it and you will notice that volume is not encrypted, so you have to right-click and select «Create snapshot»
    Create snapshot
  • Provide a name and a description to easily find the snapshot and click «Create Snapshot»
    Provide snapshot details
  • Navigate to snapshots, right-click on that one we created and select «Create Volume», notice that snapshot is not encrypted
    Create encrypted volume
  • To create encrypted volume from an unencrypted snapshot, select the same availability zone and checkmark the appropriate checkbox and click «Create Volume»
    Provide encrypted volume details
  • Once we have a volume created, go back to EC2 instances section and locate your instance
  • Write down current Device name attachement info, for Linux instances, it is usually /dev/xvda
  • Click on the currently attached volume, so you will be sent to the volumes section again, but filtered out to show you only one volume, so you will not misclick and disconnect a volume from another instance
  • Right-click on the volume and click «Detach Volume»
    Detach unencrypted volume
  • Right-click on encrypted volume and select «Attach Volume», notice it is encrypted
    Attach encrypted volume
  • Provide instance id you are attaching the volume to and the device name (you noted on step 15) and click attach
    Provide instance details

That`s it, later you can remove unencrypted volume and snapshot