DEV Community

Shashank Gupta
Shashank Gupta

Posted on

Converting an Unencrypted EBS Volume to an Encrypted One in AWS: A Step-by-Step Guide

#aws #security #devops #cloud

πŸ” Encrypt Existing Unencrypted EBS Volumes Without Data Loss (The AWS Way)

Encryption at rest is a fundamental AWS security control.
Yet in reality, EC2 instances often still run with unencrypted EBS volumes β€” especially in sandbox accounts, legacy setups, or β€œjust-testing” environments that accidentally made it to prod. 😬

Here’s the catch:

❌ AWS does NOT support in-place encryption for EBS volumes

So… how do you encrypt an existing volume without losing data?

This article walks through:

  • βœ… The AWS-recommended approach
  • πŸ› οΈ A manual step-by-step process
  • πŸ€– How to automate detection & remediation
  • ⚠️ A critical AWS limitation you must know

🚨 Key AWS Constraint (Very Important)

Amazon EBS volumes cannot be encrypted in-place.

The only supported method is:

Unencrypted Volume β†’ Snapshot β†’ Encrypted Snapshot β†’ New Encrypted Volume
Enter fullscreen mode Exit fullscreen mode

This applies to:

  • πŸ“¦ Data volumes
  • πŸ’½ Root volumes (requires downtime)

For root volumes, the EC2 instance must be stopped before detaching the volume. The steps are identical β€” just riskier.

πŸ§ͺ Environment Setup

EC2 Instance

  • AMI: Ubuntu
  • Instance Type: t3.micro (or your choice)

  • Tags (recommended):

    • Name = ebs-encryption-poc
    • Environment = test

EBS Volume

  • Size: 4 GiB
  • Type: gp3
  • Encryption: Disabled
  • Availability Zone: Must match EC2 AZ

πŸͺœ Step-by-Step: Encrypt an Existing EBS Volume

Step 1: Launch an EC2 Instance

Create an EC2 instance with the configuration above.

Step 2: Create an Unencrypted EBS Volume

From EC2 β†’ Volumes β†’ Create volume:

  • Size: 4 GiB
  • Type: gp3
  • Encryption: ❌ Disabled
  • AZ: Same as EC2

  • Tags:

    • Name = unencrypted-ebs
    • Environment = test

Attach this volume to the EC2 instance.

Step 3: Connect to EC2 & Create a Filesystem 

ssh -i key.pem ubuntu@<public-ip>
Enter fullscreen mode Exit fullscreen mode

(Optional) Change hostname:

sudo hostnamectl set-hostname ebs-demo
exec bash
Enter fullscreen mode Exit fullscreen mode

Identify the volume and format it:

lsblk
sudo mkfs -t xfs /dev/nvme1n1
Enter fullscreen mode Exit fullscreen mode

Mount it:

sudo mkdir /data
sudo mount /dev/nvme1n1 /data
df -h
Enter fullscreen mode Exit fullscreen mode

Step 4: Add Test Data 

cd /data
echo "Hello Unencrypted World!!" | sudo tee hello.txt
cat hello.txt
Enter fullscreen mode Exit fullscreen mode

Step 5 (Optional): Resize the EBS Volume

From AWS Console:

  • Select volume β†’ Modify volume
  • Increase size (e.g. 4 GiB β†’ 6 GiB)

⚠️ You can only increase EBS volume size.

Step 6: Extend the Filesystem (Only If Resized) 

sudo xfs_growfs -d /data
df -h /data
Enter fullscreen mode Exit fullscreen mode

Step 7: Create a Snapshot (Unencrypted)

From EC2 β†’ Volumes:

  • Select unencrypted volume
  • Actions β†’ Create snapshot

This preserves all existing data.

Step 8: Copy Snapshot With Encryption Enabled

From EBS β†’ Snapshots:

  • Select snapshot β†’ Copy snapshot
  • βœ… Enable encryption
  • KMS key: aws/ebs (default)

Step 9: Create an Encrypted Volume

From the encrypted snapshot:

  • Create volume

  • Add tags:

    • Name = encrypted-ebs
    • Environment = test

Step 10: Replace the Volume

Attach the encrypted volume to the EC2 instance.

On EC2:

lsblk
cd
sudo umount /data
sudo mount /dev/nvme2n1 /data
Enter fullscreen mode Exit fullscreen mode

Verify data:

ls /data
cat /data/hello.txt
Enter fullscreen mode Exit fullscreen mode

Fix permissions if needed:

sudo chown $USER /data
Enter fullscreen mode Exit fullscreen mode

βœ… Data persists
βœ… Volume is encrypted at rest

πŸ€– Automation Ideas (Because Manual β‰  Scalable)

Idea 1: EventBridge + Lambda (Auto-Remediation)

Flow:

  • EventBridge detects unencrypted volume creation

  • Lambda:

    • Creates snapshot
    • Encrypts it
    • Replaces the volume

  • SNS sends notification

Pros:

  • Zero manual effort
  • Real-time remediation
  • Audit-friendly

Idea 2: Scheduled Lambda Scan

Flow:

  • EventBridge cron (e.g. every 6 hours)
  • Lambda scans all attached volumes
  • Replaces unencrypted volumes
  • Sends report

Pros:

  • Simple
  • Lightweight
  • Ideal for legacy environments

Idea 3: Prevent It at Account Level (Best Practice)

Enable EBS Encryption by Default:

EC2 β†’ Settings β†’ Enable EBS encryption by default

πŸ”₯ This ensures all future volumes are encrypted automatically.

πŸ† Best Strategy: Defense in Depth

βœ… Prevent
β†’ Enable EBS encryption by default

βœ… Detect & Remediate (Real-Time)
β†’ EventBridge + Lambda

βœ… Audit Regularly
β†’ Scheduled Lambda scans

πŸ“Œ Lessons Learned & Best Practices

  • ❌ You cannot enable encryption on an existing volume
  • ❌ AWS does not support in-place encryption
  • βœ… Snapshots are the only safe path
  • βœ… Data volumes can be auto-remediated
  • ⚠️ Root volumes always require downtime
  • 🧠 Prevention > Remediation

🎯 Wrap Up

This workflow is mandatory AWS knowledge:

  • For real-world production systems
  • For security reviews
  • For AWS interviews

Understanding why AWS enforces this model gives you a deeper appreciation of how AWS balances security, durability, and safety β€” even when it’s inconvenient.

If you live in the AWS ecosystem, this is one of those β€œknow it cold” workflows.

Happy encrypting πŸ”πŸš€

Top comments (0)