-
Create a snapshot of the encrypted root volume, or create an Amazon Machine Image (AMI) of the instance with the encrypted volume.
Note: It's a best practice to use snapshots and AMIs to back up your resources before you perform any major tasks.
-
Open the Amazon Elastic Compute Cloud (Amazon EC2) console.
-
Stop the instance with the encrypted root volume.
-
On the Storage tab, note your root device's name, and then choose the Volume ID.
Note: The root device differs by AMI. For example, Amazon Linux 1 and 2 use /dev/xvda. Other distributions, such as Ubuntu 14, 16, 18, CentOS7, and RHEL 7.5, use /dev/sda1.
-
Choose Actions, and then choose Detach volume.
-
Choose Yes, Detach, and then note the Availability Zone.
-
Launch a rescue instance in the same Availability Zone as the original instance.
Note: Use a similar operating system (OS) to the one that you used to launch the original instance.
-
In the navigation pane, choose Volumes, and then select the encrypted root volume.
-
Choose Actions, and then choose Attach volume.
-
For Instance, choose the rescue instance ID.
-
For Device name choose /dev/xvdf or /dev/sdf.
-
Create a new unencrypted volume in the same Availability Zone as the original encrypted volume.
Important: To avoid data loss, confirm that your new volume size is larger than the size of the encrypted volume.
-
Attach the new unencrypted volume to the rescue instance as /dev/xvdg or /dev/sdg.
-
Connect to the rescue instance, and then run the lsblk command to confirm that the root device and the attached volumes exist:
lsblk
Example output
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
xvda 202:0 0 8G 0 disk
└─xvda1 202:1 0 8G 0 part /
xvdf 202:80 0 8G 0 disk
└─xvdf1 202:81 0 8G 0 part
xvdg 202:96 0 8G 0 disk
-
To move the data from the original encrypted volume to the new unencrypted volume, run the dd commands as a sudo or root user:
dd if=/dev/xvdf of=/dev/xvdg bs=4096 status=progress
Note: In the preceding command, the input file is /dev/xvdf and the output file is /dev/xvdg. The data transfer time varies based on the size and type of the volume and instance.
-
Detach the new unencrypted /dev/xvdg volume from the rescue instance, and then attach it to the original instance as /dev/xvda or /dev/sda1.
-
Connect to the original instance to confirm that the instance reads the new unencrypted root volume.
-
On the Amazon EC2 console, select the original instance, and then view the volume's properties to confirm that the root volume is now unencrypted.
Note: You might need to reboot or stop and start the instance to register the partition changes to the kernel.
-
Repeat the process for other encrypted volumes on the original instance to create cloned volumes that are unencrypted.
-
Terminate the rescue instance.