How do I unencrypt an encrypted EBS volume?

Last updated: 2020-04-29

I want to unencrypt an Amazon Elastic Block Store (Amazon EBS) volume that was encrypted using a default AWS Key Management Service (KMS) customer master key (CMK) or a custom CMK. How do I do this?

Short Description

You can copy an encrypted volume to a new, unencrypted volume using a temporary Amazon Elastic Compute Cloud (Amazon EC2) instance. You can then attach the unencrypted volume to your original instance.


Note: The following resolution uses a root volume as an example. You can also perform these steps on a secondary volume.

1.    Create a snapshot of the encrypted root volume or create an AMI of the instance with the encrypted volume. Use snapshots and AMIs to provide backups for your resources before performing any major tasks.

2.    Open the Amazon EC2 console.

3.    Stop the instance with the encrypted root volume.

4.    In the Description tab, under Root device, choose the root volume, and then choose the EBS ID. Make a note of your root device's name.

Note: The root device differs by AMI. For example, Amazon Linux 1 and 2 use /dev/xvda. Other distributions, such as Ubuntu 14, 16, 18, CentOS7, and RHEL 7.5, use /dev/sda1.

5.    Choose Actions, Detach Volume, and then choose Yes, Detach. Note the Availability Zone.

6.    Launch a rescue instance with a similar OS and in the same Availability Zone as the original instance.

7.    After the rescue instance launches, choose Volumes from the navigation pane, and then select the detached, encrypted root volume.

8.    Choose Actions, Attach Volume.

9.    Choose the rescue instance ID (id-xxxx), and attach the encrypted volume at /dev/xvdf or /dev/sdf.

10.   Create a new, unencrypted volume in the same Availability Zone as the original, encrypted volume. 

Note: The new volume's size shouldn't be less than the encrypted volume's size to avoid data loss.

11.   Attach the new, unencrypted volume to the rescue instance as /dev/xvdg or /dev/sdg.

12.   Connect to the rescue instance and confirm the presence of the root device and both attached volumes using the lsblk command.

xvda    202:0    0   8G  0 disk 
└─xvda1 202:1    0   8G  0 part /
xvdf    202:80   0   8G  0 disk 
└─xvdf1 202:81   0   8G  0 part 
xvdg    202:96   0   8G  0 disk

13.   As sudoer/root, use the dd command to move the data from the original, encrypted volume (input file is /dev/xvdf) to the new, unencrypted volume (output file is /dev/xvdg).

#dd if=/dev/xvdf of=/dev/xvdg bs=4096 status=progress

Note: The data transfer time varies depending on the size and type of the volume and instance.

14.   Detach the new, unencrypted volume (/dev/xvdg) from the rescue instance and attach it to the original instance as /dev/xvda or /dev/sda.

15.   Connect to the original instance to confirm that the instance reads the new, unencrypted (copied) root volume.

16.   To ensure that the root volume is now unencrypted, select the original instance in the Amazon EC2 console, and then view the volume’s properties.

Note: You might need to reboot or stop and start the instance to register the partition changes to the kernel.

17.   Repeat the process for any other encrypted volumes on the original instance to create "cloned" volumes that are unencrypted.

18.   Terminate the rescue instance after you have confirmed that the new, unencrypted volumes are working properly.

Did this article help you?

Anything we could improve?

Need more help?