Encrypt an already attached Unencrypted EBS volume on AWS EC2
Sometimes in life, we are just trying to get the job done, and we may leave the oven on, lock ourselves out of our house, or forget to encrypt the volume storage attached to our servers.
Try not to panic.
Mistakes happen, which is why we have smoke alarms, why we might give an extra house key to a trusted friend who lives nearby, and why we have this handy guide to encrypt our EBS volume storage after it is attached to a running EC2 server. Here is what to do:
- Find the EC2 instance with the unencrypted volume and stop it.
2. Create a snapshot of the EBS volume you want to encrypt.
3. Copy the EBS snapshot, encrypting the copy in the process using an available key. (You can use the default or create your own)
4. Create a new EBS volume from your new encrypted EBS snapshot (This new EBS volume will be encrypted). I find this is also an excellent spot to check the type of storage being used if you are using older/more expensive technology or something not up to the task.
5. Detach the original EBS volume and attach your new encrypted EBS volume, making sure to match the device name (/dev/sda1, etc…).
While it says /dev/sdf through to /dev/sdp is available, if this is the root disk, you will need to use /dev/xvda1 in order for the instance to start up again, despite the implication that this might be an invalid device name.
6. Start the EC2 instance up again. Verify that the server is doing things as expected and that the data is correct.
7. Delete the now detached unencrypted volume. Enjoy peaceful sleep!
Generally, this is a good thing to prevent at the onset. So definitely check any launch templates or scripts you may have that provision your instances and storage to see if encryption is enabled by default.
We think this is a handy targeted method in a pinch, and we hope it serves you well.
If you found this valuable, please follow the blog, and I’ll continue to post more tech goodness. Thanks for reading!