Encrypting Unencrypted AWS EBS Volumes

AWS does not encrypt EBS volumes by default unless the account-level setting is explicitly enabled. That means instances launched without it — or before it was turned on — may have unencrypted volumes sitting in your environment. Encrypting them after the fact requires a few extra steps, and the process differs slightly depending on whether the volume is a data volume or the root volume.

Data Volumes

Data volumes are attached to an instance but not required for it to boot. Because they’re not tied to the running OS, they can be replaced without stopping or recreating the instance.

The process is:

1. Create a snapshot of the existing unencrypted volume from the EC2 console under Volumes.
2. Create a new volume from the snapshot — during creation, enable encryption. AWS-managed keys (SSE-S3) work for most cases, or a KMS key can be specified for more granular control.
3. Detach the old volume from the instance. The instance can remain running for this step if the volume isn’t in active use, but stopping the instance first avoids any risk of data inconsistency.
4. Attach the new encrypted volume to the instance at the same device path as the original.

Once the new volume is attached and the application or OS confirms access, the original unencrypted volume can be deleted.

Root Volumes

Root volumes contain the operating system and can’t be swapped out while the instance is running. The approach here is to replace the instance rather than the volume.

1. Create an AMI from the instance — this captures the root volume and any attached data volumes into an image. Stopping the instance before taking the image is recommended to ensure the filesystem is in a clean state.
2. Launch a new instance from the AMI — during launch, expand the storage configuration and enable encryption on the root volume. The instance type, networking, and other settings can be preserved from the original.

The original instance can be stopped and kept briefly as a fallback, then terminated once the replacement is confirmed working.

Preventing It Going Forward

The most effective way to avoid unencrypted volumes is to enable account-level default encryption. When this setting is on, every new EBS volume created in the region — whether explicitly or as part of an instance launch — is automatically encrypted.

To enable it:

1. Navigate to the EC2 Dashboard
2. In the top-right area, select Account Attributes → Data protection and security
3. Click Manage in the EBS encryption section
4. Check Enable and click Update EBS encryption

This setting is region-specific — it needs to be enabled in each region where instances are deployed.

Closing Thoughts

Encrypting existing volumes is straightforward once you know which approach applies. Data volumes are the simpler case — a snapshot, a new encrypted volume, and a swap. Root volumes require replacing the instance, which takes a bit more care but follows the same pattern. Enabling the account-level default after cleaning up existing volumes ensures the issue doesn’t reappear with future deployments.