encrypt-ebs-logo

Steps To Encrypt Amazon EBS Volume (Data-at-Rest)

This article will show how to Encrypt Amazon EBS volume.

Now if you want to encrypt a new volume its straight forward but when it comes to encrypting an existing EBS volume it becomes tedious task.

Usecase scenario for the same : A company has come up with new security and compliance requirements where they want to protect their data-at-rest. They have selected an option to encrypt all the data in their existing EBS volumes.

It is very simple, actually AWS has made it simple with just 5 steps you can encrypt EBS volume (existing).


Step 1 : Change the Instance State

aws-ebs-encryption
First, Stop the Instance.

Go to Volume option on left once instance is turned off.

Step 2 : Create A Snapshot

aws-create-snapshot
Create a snapshot of EBS volume
aws-snapshot-details
Proceed with appropriate details for the snapshot and hit create.

Step 3 : Copy Snapshot to change it to an Encrypted Snapshot

aws-copy-snapshot
Once snapshot is created, go ahead and copy the snapshot

 

aws-create-encrypted-snapshot
Here is the main task : Check Encryption option while creating copy. Select the encryption key(Master Key) as per your preference. For now I’m using the Default encryption key provided by aws




Step 4 : Create EBS volume from the Snapshot

Once Encrypted copy of snapshot is created successfully. Create a EBS Volume from it. This volume will be encrypted and ready to be attached with instance.

aws-create-encrypted-volume
Create a volume from the encrypted snapshot.
aws-create-encrypted-volume1
You can change properties like size, type or AZ for the volume here.

Note : Please create volume in the same availability zone as your instance.

Step 5 : Attach it to EC2 instance

aws-attach-encrypted-volume
When Volume is ready, attach it to the instance. REMEMBER First remove the old un-encrypted volume then do the following task.

 

You have now create and attached an Encrypted Amazon EBS Volume without any hassle. Your data will be the same plus added encryption acts a layer of security which will protect your data-at-rest.

Few things to keep in mind : You won’t be able to launch the same encrypted snapshot or an Amazon AMI in any other account. Once encrypted you cannot change it, the encryption key will be managed by AWS so you don’t have to worry about losing it.

 

That’s it, Thank you for reading!

Please leave your queries on comments section below. I’ll try my best to answer it asap.

– Bhargav