How to Encrypt AWS EBS Volume

Introduction

Elastic Block Storage volumes are the equivalent of hard drives in the physical world. EBS volumes are attached to EC2 instances and store operating system data and instance-specific data as well (code, applications, software, etc.). These volumes are not encrypted by default, but adding encryption to EBS provides you with extra security.

An AWS account would fail security compliance checks especially around data security if the EBS volume is not encrypted. Additionally, any snapshots created from an unencrypted volume are not encrypted. A malicious user with access to the snapshot either through the snapshot being exposed publicly or due to access to the AWS account, would result in compromise of data stored on the snapshot.

In this article we will go through the steps to encrypt AWS EBS Volumes via both console and CLI.

Steps to Encrypt AWS EBS Volume

To encrypt the EBS volume via AWS console, follow the steps below

1. Login to the AWS Management Console and navigate to EC2 dashboard.

2. In the navigation panel, under Elastic Block Store, click Volumes.

   

3. Select the Volume that is non-encrypted and you want to update.

4. Click the Actions dropdown button from the EBS dashboard top menu and select Create Snapshot

   

5. In the Create Snapshot dialog box, provide a name and a description for the snapshot and click on Create snapshot button

   

6. Navigate to Elastic Block Store, and click Snapshots.

   

7. Select your newly created EBS snapshot. Click the Actions dropdown button and select Copy snapshot

   

8. In the Copy Snapshot dialog box, check the checkbox Encrypt this snapshot and click the Copy snapshot button

9. Select the new (copied) EBS snapshot and click the Actions dropdown button from the EBS dashboard top menu and select Create Volume from snapshot

   

10. In the Create Volume dialog box, make sure the volume Encryption status is Encrypted and click Create Volume

11. Navigate back to Volume, select the Volume that is not encrypted, then click the Actions dropdown button from the EBS dashboard top menu and select Detach Volume

    

12. Select the newly encrypted EBS volume. Click the Actions dropdown button from the EBS dashboard top menu and select Attach Volume

    

13. In the Attach Volume dialog box enter your EC2 instance ID and the device name for the attachment then click Attach Volume

To encrypt the EBS volume via CLI, follow the steps below:

1. To list the volumes

   aws ec2 describe-volumes --region <region>

2. Create a new snapshot from your non-encrypted volume

   aws ec2 create-snapshot --volume-id <volume id> --region <region>

   

3. Create an encrypted copy of the existent EBS snapshot

   aws --region <region> ec2 copy-snapshot --source-region <region> --encrypted --source-snapshot-id <snapshot id>

   Output of the command

   

4. Create a new EBS volume from the encrypted snapshot

   aws ec2 create-volume --region <region> --availability-zone <AZ> --snapshot-id <snapshot id> --volume-type <volume type> --encrypted

   Output of the command

   

5. Detach the non-encrypted EBS volume

   aws ec2 detach-volume --volume-id <Volume ID> --region <region>

   Output of the command

   

6. To attach the new encrypted EBS volume to your EC2 instance run attach-volume

   aws ec2 attach-volume --volume-id <volume id> --instance-id <instance id> --device /dev/sdf --region <region>

   Output of the command

   

You can also learn how to Create,attach and detach EBS volumes from this Academy article.