How do I unencrypt an encrypted Amazon EBS volume in Linux?

3 minute read
1

I want to unencrypt an Amazon Elastic Block Store (Amazon EBS) volume in Linux that I encrypted with a default AWS Key Management Service (AWS KMS) key or a custom KMS key.

Resolution

Note: The following resolution uses a root volume as an example. You can also perform the following steps on a secondary volume.

To unencrypt your Amazon EBS volume, complete the following steps:

  1. Create a snapshot of the encrypted root volume, or create an Amazon Machine Image (AMI) of the instance with the encrypted volume.
    Note: It's a best practice to use snapshots and AMIs to back up your resources before you perform any major tasks.

  2. Open the Amazon Elastic Compute Cloud (Amazon EC2) console.

  3. Stop the instance with the encrypted root volume.

  4. On the Storage tab, note your root device's name, and then choose the Volume ID.
    Note: The root device differs by AMI. For example, Amazon Linux 1 and 2 use /dev/xvda. Other distributions, such as Ubuntu 14, 16, 18, CentOS7, and RHEL 7.5, use /dev/sda1.

  5. Choose Actions, and then choose Detach volume.

  6. Choose Yes, Detach, and then note the Availability Zone.

  7. Launch a rescue instance in the same Availability Zone as the original instance.
    Note: Use a similar operating system (OS) to the one that you used to launch the original instance.

  8. In the navigation pane, choose Volumes, and then select the encrypted root volume.

  9. Choose Actions, and then choose Attach volume.

  10. For Instance, choose the rescue instance ID.

  11. For Device name choose /dev/xvdf or /dev/sdf.

  12. Create a new unencrypted volume in the same Availability Zone as the original encrypted volume.
    Important: To avoid data loss, confirm that your new volume size is larger than the size of the encrypted volume.

  13. Attach the new unencrypted volume to the rescue instance as /dev/xvdg or /dev/sdg.

  14. Connect to the rescue instance, and then run the lsblk command to confirm that the root device and the attached volumes exist:

    lsblk

    Example output

    NAME    MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
    xvda    202:0    0   8G  0 disk 
    └─xvda1 202:1    0   8G  0 part /
    xvdf    202:80   0   8G  0 disk 
    └─xvdf1 202:81   0   8G  0 part 
    xvdg    202:96   0   8G  0 disk
  15. To move the data from the original encrypted volume to the new unencrypted volume, run the dd commands as a sudo or root user:

    dd if=/dev/xvdf of=/dev/xvdg bs=4096 status=progress

    Note: In the preceding command, the input file is /dev/xvdf and the output file is /dev/xvdg. The data transfer time varies based on the size and type of the volume and instance.

  16. Detach the new unencrypted /dev/xvdg volume from the rescue instance, and then attach it to the original instance as /dev/xvda or /dev/sda1.

  17. Connect to the original instance to confirm that the instance reads the new unencrypted root volume.

  18. On the Amazon EC2 console, select the original instance, and then view the volume's properties to confirm that the root volume is now unencrypted.
    Note: You might need to reboot or stop and start the instance to register the partition changes to the kernel.

  19. Repeat the process for other encrypted volumes on the original instance to create cloned volumes that are unencrypted.

  20. Terminate the rescue instance.

AWS OFFICIAL
AWS OFFICIALUpdated a month ago
2 Comments

Accurate instructions for the procedure, which worked well for me, but I think the navigation of the console and locations of items has changed since the article was published.

replied 4 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 4 months ago