I want to encrypt my existing unencrypted Amazon Elastic Block Store (Amazon EBS) root volume without performing a manual re-encryption.
Resolution
To avoid manual re-encryption, use the Replace root volume feature in Amazon Elastic Compute Cloud (Amazon EC2) to encrypt your unencrypted EBS root volume. This feature transitions your volume to an encrypted state and offers enhanced data security for your EC2 instance.
Activate EBS encryption as a default
To set the default, complete the following steps:
- Navigate to the Amazon EC2 console.
- Select your Region.
- In your left navigation pane, choose EC2 Dashboard.
- For Account Attributes, choose Data protection and security.
- For EBS encryption, choose Manage. Then, activate Always encrypt new EBS volumes.
- Select a default encryption key.
- To confirm your changes, choose Update EBS encryption.
Create a snapshot
Complete the following steps:
- Open the Amazon EC2 console.
- From the left navigation pane, choose Snapshots. Then, choose Create snapshot.
- Choose Volume as the resource type.
- Select the root volume of your EC2 instance.
- To implement the changes, choose Create snapshot.
Replace the unencrypted root volume with an encrypted volume
Complete the following steps:
- Navigate to the Amazon EC2 console.
- From the left navigation pane, choose Instances.
- Select the instance that you want to replace the root volume for.
- Choose Actions. Then, choose Monitor and troubleshoot.
- Choose Replace root volume.
Note: Make sure that the instance is running for the action to activate.
- Select the snapshot that you created for your root volume.
- To initiate replacement, choose Create replacement task.
Note: The instance automatically reboots during this process, erasing the memory (RAM) contents without requiring a manual reboot.
Monitor the progress of the root volume replacement task
Follow these steps to complete the replacement task:
- Navigate to the Instances section.
- Select the instance and access the Storage tab.
- To track completion, expand Recent root volume replacement tasks.
When the root volume replacement task completes, your root volume is securely encrypted. The replacement also provides enhanced data protection for your EC2 instance.