How do I encrypt an existing unencrypted Amazon EBS volume, or change the encryption key that my volume uses?

Resolution

You can't encrypt an existing unencrypted EBS volume. You also can't change the AWS Key Management Service (AWS KMS) key that an existing encrypted EBS volumes uses. However, you can create a snapshot of the volume. Then, you can use the snapshot to create a new encrypted copy of the volume. When you create the new volume, specify the encryption key that you want to use.

Complete the following steps:

1. Open the Amazon EC2 console.
2. In the navigation pane, choose Volumes.
3. Select the volume from the list, and then note the current Availability Zone of your volume.
4. Choose Actions, and then choose Create snapshot.
5. (Optional) Enter a Description for the snapshot.
6. Choose Create snapshot.
7. In the navigation pane, choose Snapshots, and then select your snapshot.
8. (Optional) To avoid latency issues, turn on Amazon EBS fast snapshot restore on your snapshot. Or, manually initialize your Amazon EBS volume after creation.
   Note: The initialization process might temporarily lower the volume's performance.
9. Choose Actions, and then choose Create volume from snapshot.
10. Choose Availability Zone, and then select the same Availability Zone as your current volume.
11. If you didn't encrypt the source snapshot, then under Encryption, choose Encrypt this volume. If you encrypted the snapshot, then this option isn't available.
12. Choose KMS key, and then choose the encryption key.
13. Choose Create volume.

Related information

Amazon EBS encryption

How do I turn on automatic encryption for new Amazon EBS volumes and snapshot copies created in my account?