How do I unencrypt an encrypted EBS volume?
Last updated: 2020-08-20
I want to unencrypt an Amazon Elastic Block Store (Amazon EBS) volume that was encrypted using a default AWS Key Management Service (KMS) customer master key (CMK) or a custom CMK. How do I do this?
You can copy an encrypted volume to a new, unencrypted volume using a temporary Amazon Elastic Compute Cloud (Amazon EC2) instance. You can then attach the unencrypted volume to your original instance.
Note: The following resolution uses a root volume as an example. You can also perform these steps on a secondary volume.
1. Create a snapshot of the encrypted root volume, or create an AMI of the instance with the encrypted volume. Use snapshots and AMIs to provide backups for your resources before performing any major tasks.
2. Open the Amazon EC2 console.
4. In the Description tab, under Root device, choose the root volume, and then choose the EBS ID. Note your root device's name.
Note: The root device differs by AMI. For example, Amazon Linux 1 and 2 use /dev/xvda. Other distributions, such as Ubuntu 14, 16, 18, CentOS7, and RHEL 7.5, use /dev/sda1.
5. Choose Actions, Detach Volume, and then choose Yes, Detach. Note the Availability Zone.
6. Launch a rescue instance with a similar OS and in the same Availability Zone as the original instance.
7. After the rescue instance launches, choose Volumes from the navigation pane, and then select the detached, encrypted root volume.
8. Choose Actions, Attach Volume.
9. Choose the rescue instance ID (id-xxxx), and attach the encrypted volume at /dev/xvdf or /dev/sdf.
10. Create a new, unencrypted volume in the same Availability Zone as the original, encrypted volume.
Important: To avoid data loss, confirm that your new volume size is larger than the size of the encrypted volume.
11. Attach the new, unencrypted volume to the rescue instance as /dev/xvdg or /dev/sdg.
12. Connect to the rescue instance and confirm the presence of the root device and both attached volumes using the lsblk command.
$lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT xvda 202:0 0 8G 0 disk └─xvda1 202:1 0 8G 0 part / xvdf 202:80 0 8G 0 disk └─xvdf1 202:81 0 8G 0 part xvdg 202:96 0 8G 0 disk
13. As sudoer/root, use the dd command to move the data from the original, encrypted volume (input file is /dev/xvdf) to the new, unencrypted volume (output file is /dev/xvdg).
#dd if=/dev/xvdf of=/dev/xvdg bs=4096 status=progress
Note: The data transfer time varies depending on the size and type of the volume and instance.
14. Detach the new, unencrypted volume (/dev/xvdg) from the rescue instance. Then, attach it to the original instance as /dev/xvda or /dev/sda1.
15. Connect to the original instance to confirm that the instance reads the new, unencrypted (copied) root volume.
16. To be sure that the root volume is now unencrypted, select the original instance in the Amazon EC2 console, and then view the volume’s properties.
Note: You might need to reboot or stop and start the instance to register the partition changes to the kernel.
17. Repeat the process for any other encrypted volumes on the original instance to create "cloned" volumes that are unencrypted.
18. Shut down the rescue instance after you confirm that the new, unencrypted volumes are working properly.