How can I encrypt an existing unencrypted EBS volume, or change the encryption key that my volume uses?

Short description

You can't encrypt existing unencrypted Amazon EBS volumes. You also can't change the AWS Key Management Service (AWS KMS) key that existing encrypted EBS volumes use. However, you can create a snapshot of the volume. Then, use the snapshot to create a new, encrypted copy of the volume. When you create the new volume, specify the encryption key that you want to use.

Resolution

Note: Amazon EBS volumes that are created from snapshots go through an initialization process. This can cause an initial performance degradation for the volume. To avoid performance degradation, use one of the two options listed in step 8.

1. Open the Amazon EC2 console.
2. Under Elastic Block Store, select Volumes.
3. Select the volume from the list. Note the current Availability Zone of your volume.
4. From the Actions dropdown list, choose Create snapshot.
5. (Optional) Enter a Description for the snapshot.
6. Select Create snapshot.
7. Under Elastic Block Store, select Snapshots, and then select your newly created snapshot.
8. (Optional) To avoid latency issues, turn on Amazon EBS fast snapshot restore on your snapshot. Or, manually initialize your Amazon EBS volume after creation.
9. From the Actions dropdown list, select Create volume from snapshot.
10. From the Availability Zone dropdown list, select the same Availability Zone of your current volume.
11. If the source snapshot is unencrypted, then under Encryption, select Encrypt this volume.
12. From the KMS key dropdown list, choose the encryption key.
13. Select Create volume.

To encrypt volumes and snapshot copies by default, see How can I turn on automatic encryption of new Amazon EBS volumes and snapshot copies created in my account?

Related information

Amazon EBS encryption