How to encrypt EBS volumes of a running EC2 instance?
Nowadays encryption of data at rest is must, specially if it’s stored somewhere in public cloud. It’s necessary to meet various compliance requirements like PCI DSS.
We will use AWS KMS for encryption of EBS Volumes. AWS has default key for EBS volume encryption- aws/ebs, you can use this or create your own.
Create KMS Key:
Login to AWS Account and goto IAM, Encryption keys, select region you want to use key in and create key.
Now we have key ready to use for encryption, use below steps to complete the task: 1. Stop your EC2 instance. 2. Create an EBS snapshot of the volume you want to encrypt. 3. Copy the EBS snapshot, encrypting the copy in the process using key created above. 4. Create a new EBS volume from your new encrypted EBS snapshot. The new EBS volume will be encrypted. 5. Detach the original EBS volume and attach your new encrypted EBS volume, making sure to match the device name (/dev/xvda1, etc.)6. Start the EC2 instance.
Now you have EC2 instance with Encrypted EBS Volumes. Please note that do not delete the KMS key in use. Deleting a key makes all data encrypted under that key unrecoverable.