Encrypt Volume
Encrypt or re-encrypt an EBS volume with a KMS key.
Steps:
- Create snapshot of the volume
- Create encrypted volume from the snapshot with the specified KMS key
- Copy tags from original volume to encrypted volume
- If volume is attached to an instance:
- Stop the instance
- Detach original volume
- Attach encrypted volume
- Preserve original device name (e.g. /dev/sda1)
- If instance was originally running:
- Start the instance
- Delete the snapshot
- Original volume remains for rollback purposes
If you are looking to encrypt all volumes of an instance, use Encrypt Instance Volumes instead.
For volumes attached to running instances downtime is minimized by stopping the instance only when volumes are ready to swap. (~2 min)
If re_encrypt is supplied and the volume is already encrypted, it will be re-encrypted.
Usage
Input
| Parameter | Description | Type | Required | Default Value |
|---|---|---|---|---|
volume_id | Volume ID to encrypt | string | Yes | None |
kms_key_id | KMS Key ID to use for encryption | string | Yes | None |
re_encrypt | Re-encrypt already encrypted volume | bool | No | False |
region | Region for operation. Leave blank for session default | string | No | Session Default |
debug | Increase log verbosity | bool | No | False |
silent | Decrease log verbosity | bool | No | False |
output | Output format table | string | No | None |
session | Established session | object | No | None |
Output
Returns a string of the new, encrypted volume ID:
"vol-1234567890abcdef0"
Examples
Encrypt a volume with a KMS key: (skipped if already encrypted):
aaws ec2 encrypt_volume --volume_id vol-1234567890abcdef0 --kms_key_id abcd1234-a123-456a-a12b-a123b4cd56ef
Encrypt a volume with a KMS key: (re-encrypted if already encrypted):
aaws ec2 encrypt_volume --re_encrypt --volume_id vol-1234567890abcdef0 --kms_key_id abcd1234-a123-456a-a12b-a123b4cd56ef