Athennian Dev Life
Published in

Athennian Dev Life

Encrypt an already attached Unencrypted EBS volume on AWS EC2

Image courtesy of Felton Davis

Sometimes in life we are just trying to get the job done and we may leave the oven on, lock ourselves out of our house, or forget to encrypt the volume storage attached to our servers. Try not to panic. Mistakes happen, which is why we have smoke alarms, why we might give an extra house key to a trusted friend who lives nearby, and why we have this handy guide to encrypt our EBS volume storage after it is attached to a running EC2 server. Here is what to do:

  1. Find the EC2 instance with the unencrypted volume and stop it.
Dang! I forgot to encrypt it!
Nobody has to know. This will be our secret…

2. Create a snapshot of the EBS volume you want to encrypt.

Can I trust you with this?
This part will take a few minutes. Take this time to prep your exit plan.

3. Copy the EBS snapshot, encrypting the copy in the process using an available key. (You can use the default or create your own)

Look to your left. Look to your right. Is no one there? Good. Make the copy.
We’ll do it right this time.

4. Create a new EBS volume from your new encrypted EBS snapshot (This new EBS volume will be encrypted). I find this is also an excellent spot to check the type of storage being used if you are using older/more expensive technology or something not up to the task.

A few things here — might as well update the volume type if the current one is outdated. Secondly, make sure the availability zone matches the EC2 instance. Finally, select your appropriate key and add a name tag— I find it easier to search for it after.

5. Detach the original EBS volume and attach your new encrypted EBS volume, making sure to match the device name (/dev/sda1, etc.). While it says /dev/sdf through to /dev/sdp is available, if this is the root disk, you will need to use /dev/xvda1 in order for the instance to start up again, despite the implication that this might be an invalid device name.

Out with the old…
…in with the new.
Minor correction on this image — it should say “/dev/sda1” under the Device Name field.

6. Start the EC2 instance up again. Verify that the server is doing the things as expected and that the data is correct.

No one is the wiser.

7. Delete the now detached unencrypted volume. Enjoy peaceful sleep!

Leave no survivors and save money on your AWS bill!

Generally, this is a good thing to prevent at the onset. So definitely check any launch templates or scripts you may have that provision your instances and storage to see if encryption is enabled by default. We think this is a handy targeted method in a pinch, and hope it serves you well.

If you found this valuable please give the Athennian Dev Life blog a follow where I’ll continue to post more tech goodness and keep an eye out on our careers page for more updates. Thanks for reading!




It’s easy to lose sight of what’s important in life. As developers and people deeply interested in technology, we can easily forget why we started this pursuit. These are our projects, discoveries, and stories we want to carry into the future to remember and share with the world.

Recommended from Medium

Best Java Books You can Read to become Expert Java designer

Discovering Azure’s Computer Vision and Cloud Search Services — Part 2

Python Logging

Data Structures in Python 🐍2️⃣ Singly Linked List

Learn CSS Selectors While Preparing Bento Boxes

Release Notes — Kuiper 0.5.0

Words can unlock javascript

We 💜 data: going over the numbers of Utrust

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Shane Fast

Shane Fast

Co-founder of Athennian @athennian. Always interested in hearing from entrepreneurs, colleagues, and self-driven people.

More from Medium

How to get AWS security keys from EKS POD in NodeJS

Secure AWS Account Credentials with Aws Vault (MacOS)

Basic guide to creating resources in AWS with Terraform

Amazon API Gateway HTTP Errors