How can I change the encryption key used by my EBS volume?
Last updated: 2019-12-11
I want to update the encryption key used by my Amazon Elastic Block Store (Amazon EBS) volume so that it uses a new encryption key. How can I do this?
Encryption keys used by an Amazon EBS volume can't be changed. However, you can Create a snapshot of the volume and then use the snapshot to create a new, encrypted copy of the volume. While creating the new volume, specify the new encryption key.
Note: Storage blocks for volumes created from snapshots must be pulled down from Amazon Simple Storage Service (Amazon S3) and written to the volume before you can access them. This can cause initial performance degradation for the volume. To avoid this, use one of the two options listed in step 8.
- Open the Amazon EC2 console.
- Under Elastic Block Store, select Volumes.
- Select the volume from the list. Take note of the current Availability Zone of your volume.
- From the Actions dropdown list, choose Create Snapshot.
- (Optional) Enter a Description for the snapshot.
- Select Create Snapshot, and then select Close.
- Under Elastic Block Store, select Snapshots, and then select your newly created snapshot.
- (Optional) Turn on fast snapshot restore on your snapshot. Fast snapshot restore makes sure that the Amazon EBS volume created from the snapshot is fully initialized at creation so that it instantly delivers all its provisioned performance. If you don't turn on fast snapshot restore, you can manually initialize your Amazon EBS volume after creation. Manual initialization avoids the latency caused by pulling the storage blocks from Amazon S3 to your volume.
- From the Actions dropdown list, select Create Volume.
- From the Availability Zone dropdown list, select the same Availability Zone of your current volume from step 3.
- From the KMS key dropdown list, choose the new encryption key.
- Select Create Volume. The new Amazon EBS volume uses the specified encryption key.