Converting an Unencrypted EBS Volume to an Encrypted One in AWS: A Step-by-Step Guide

Shashank Gupta — Sat, 24 Jan 2026 09:19:59 +0000

🔐 Encrypt Existing Unencrypted EBS Volumes Without Data Loss (The AWS Way)

Encryption at rest is a fundamental AWS security control.
Yet in reality, EC2 instances often still run with unencrypted EBS volumes — especially in sandbox accounts, legacy setups, or “just-testing” environments that accidentally made it to prod. 😬

Here’s the catch:

❌ AWS does NOT support in-place encryption for EBS volumes

So… how do you encrypt an existing volume without losing data?

This article walks through:

✅ The AWS-recommended approach
🛠️ A manual step-by-step process
🤖 How to automate detection & remediation
⚠️ A critical AWS limitation you must know

🚨 Key AWS Constraint (Very Important)

Amazon EBS volumes cannot be encrypted in-place.

The only supported method is:

Unencrypted Volume → Snapshot → Encrypted Snapshot → New Encrypted Volume

This applies to:

📦 Data volumes
💽 Root volumes (requires downtime)

For root volumes, the EC2 instance must be stopped before detaching the volume. The steps are identical — just riskier.

🧪 Environment Setup

EC2 Instance

AMI: Ubuntu
Instance Type: t3.micro (or your choice)
Tags (recommended):
- Name = ebs-encryption-poc
- Environment = test

EBS Volume

Size: 4 GiB
Type: gp3
Encryption: Disabled
Availability Zone: Must match EC2 AZ

🪜 Step-by-Step: Encrypt an Existing EBS Volume

Step 1: Launch an EC2 Instance

Create an EC2 instance with the configuration above.

Step 2: Create an Unencrypted EBS Volume

From EC2 → Volumes → Create volume:

Size: 4 GiB
Type: gp3
Encryption: ❌ Disabled
AZ: Same as EC2
Tags:
- Name = unencrypted-ebs
- Environment = test

Attach this volume to the EC2 instance.

Step 3: Connect to EC2 & Create a Filesystem

ssh -i key.pem ubuntu@<public-ip>

(Optional) Change hostname:

sudo hostnamectl set-hostname ebs-demo
exec bash

Identify the volume and format it:

lsblk
sudo mkfs -t xfs /dev/nvme1n1

Mount it:

sudo mkdir /data
sudo mount /dev/nvme1n1 /data
df -h

Step 4: Add Test Data

cd /data
echo "Hello Unencrypted World!!" | sudo tee hello.txt
cat hello.txt

Step 5 (Optional): Resize the EBS Volume

From AWS Console:

Select volume → Modify volume
Increase size (e.g. 4 GiB → 6 GiB)

⚠️ You can only increase EBS volume size.

Step 6: Extend the Filesystem (Only If Resized)

sudo xfs_growfs -d /data
df -h /data

Step 7: Create a Snapshot (Unencrypted)

From EC2 → Volumes:

Select unencrypted volume
Actions → Create snapshot

This preserves all existing data.

Step 8: Copy Snapshot With Encryption Enabled

From EBS → Snapshots:

Select snapshot → Copy snapshot
✅ Enable encryption
KMS key: aws/ebs (default)

Step 9: Create an Encrypted Volume

From the encrypted snapshot:

Create volume
Add tags:
- Name = encrypted-ebs
- Environment = test

Step 10: Replace the Volume

Attach the encrypted volume to the EC2 instance.

On EC2:

lsblk
cd
sudo umount /data
sudo mount /dev/nvme2n1 /data

Verify data:

ls /data
cat /data/hello.txt

Fix permissions if needed:

sudo chown $USER /data

✅ Data persists
✅ Volume is encrypted at rest

🤖 Automation Ideas (Because Manual ≠ Scalable)

Idea 1: EventBridge + Lambda (Auto-Remediation)

Flow:

EventBridge detects unencrypted volume creation
Lambda:
- Creates snapshot
- Encrypts it
- Replaces the volume
SNS sends notification

Pros:

Zero manual effort
Real-time remediation
Audit-friendly

Idea 2: Scheduled Lambda Scan

Flow:

EventBridge cron (e.g. every 6 hours)
Lambda scans all attached volumes
Replaces unencrypted volumes
Sends report

Pros:

Simple
Lightweight
Ideal for legacy environments

Idea 3: Prevent It at Account Level (Best Practice)

Enable EBS Encryption by Default:

EC2 → Settings → Enable EBS encryption by default

🔥 This ensures all future volumes are encrypted automatically.

🏆 Best Strategy: Defense in Depth

✅ Prevent
→ Enable EBS encryption by default

✅ Detect & Remediate (Real-Time)
→ EventBridge + Lambda

✅ Audit Regularly
→ Scheduled Lambda scans

📌 Lessons Learned & Best Practices

❌ You cannot enable encryption on an existing volume
❌ AWS does not support in-place encryption
✅ Snapshots are the only safe path
✅ Data volumes can be auto-remediated
⚠️ Root volumes always require downtime
🧠 Prevention > Remediation

🎯 Wrap Up

This workflow is mandatory AWS knowledge:

For real-world production systems
For security reviews
For AWS interviews

Understanding why AWS enforces this model gives you a deeper appreciation of how AWS balances security, durability, and safety — even when it’s inconvenient.

If you live in the AWS ecosystem, this is one of those “know it cold” workflows.

Happy encrypting 🔐🚀

DEV Community: Shashank Gupta

[Boost]