Sep 27, 2018

How to change unencrypted EC2 root volume encrypted?

First get an encrypted copy of the un-encrypted root volume:

Step 1: stop instance (select instance > actions > instance state> stop Step 2: Create a snapshot of your existing root volume: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-snapshot.html or go to the volume page > choose the root volume>actions > create snapshot Step 3: Once the snapshot has been created copy the snapshot (snapshot> actions> copy) and enable encryption in the process (check encrypt this snapshot) Step 4: Once new copy of snapshot of root volume has been created with encryption create a new volume from the new snapshot (which will in turn be encrypted) https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-restoring-volume.html

Step 5: Detach old Root volume Step 6: Attach new encrypted root volume created from the encrypted snapshot copy Step 7: start the instance back

If your instance is for example a spot instance and therefore you can not stop it ( you can only reboot or terminate it), then:

sudo vim /etc/fstab, and change the root mount option there and reboot.