How to Encrypt an EBS Volume in AWS

How to Encrypt an EBS Volume in AWS
Photo by Mehmet Ali Peker / Unsplash

If you're using AWS in an environment where privacy is a huge concern (ex. HIPAA) you'll need to make sure that each of your servers with the potential to have any protected health information (PHI) is encrypted. When you launch a server with a public AMI (RedHat, Ubuntu, etc.) the volume will launch unencrypted. This makes sense since every AWS customer needs to launch from this same AMI, and we can't all share the same key.

Once you've launched your server and you're ready to encrypt the EBS volumes attached to your EC2 instances, here are the steps you'll want to take:

  1. Find the volume you want to encrypt in the EC2 Management Console, right-click, and click "Create Snapshot".
    Creating snapshot

    Also, write down the availability zone of your current volume. You'll want this later on.

  2. Give it a name and description that lets you know this is an unencrypted snapshot for future reference.
    Creating snapshot

  3. Once your snapshot has finished being created, right-click the snapshot and select Copy. At this point, make sure you click the checkbox next to Encrypt this Snapshot.
    Creating snapshot
    You can choose whichever key you would like to use for the encryption from the drop-down box. Remember to also change the description to note that this is the encrypted snapshot.

  4. After AWS is done with copy/encrypting the snapshot, right-click the new encrypted snapshot and Create Volume. Remember the availability zone of the original volume I had you write down? Well, make sure this new volume is created in the same AZ as your original.
    Creating snapshot

  5. At this point it's just a matter of shutting down the server and swapping out the EBS volume for the new encrypted volume. Once the server is shut down, I like to take a quick note of where the current EBS volume is attached (ex. /dev/sda1). Detach the unencrypted volume from your EC2 instance then attach the encrypted volume to the same device location.

  6. Start up your new encrypted EC2 instance!

As always, feel free to comment below if you have any issues, comments, questions, or you just feel like saying hi.

Mastodon