EC2 Disk Encryption long after creation

Hello.

Existing unencrypted EBS cannot be directly encrypted.
Therefore, as described in the document below, you need to encrypt the snapshot when creating it from EBS and start a new EC2 from that snapshot.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-parameters

You cannot directly encrypt existing unencrypted volumes or snapshots. However, you can create encrypted volumes or snapshots from unencrypted volumes or snapshots. If you enable encryption by default, Amazon EBS automatically encrypts new volumes and snapshots using your default KMS key for EBS encryption. Otherwise, you can enable encryption when you create an individual volume or snapshot, using either the default KMS key for Amazon EBS encryption or a symmetric customer managed encryption key. For more information, see Create an Amazon EBS volume and Copy an Amazon EBS snapshot.

To encrypt the snapshot copy to a customer managed key, you must both enable encryption and specify the KMS key, as shown in Copy an unencrypted snapshot (encryption by default not enabled).

You can't encrypt an unencrypted volume in-place.

The best you are going to be able to do is take a snapshot of the volume (which will also be unencrypted), copy this to an encrypted snapshot, and create a new EBS snapshot from this volume.

Then stop the instance, detach the unencrypted volume, and attach the encrypted volume.

If it's the root disk that's you need to work on the procedure is similar, except you create an AMI from the snapshot and from this provision a new instance with an encrypted root volume.