# Amazon EBS encryption
<a name="ebs-encryption"></a>

Use Amazon EBS encryption as a straight-forward encryption solution for your Amazon EBS resources associated with your Amazon EC2 instances. With Amazon EBS encryption, you aren't required to build, maintain, and secure your own key management infrastructure. Amazon EBS encryption uses AWS KMS keys when creating encrypted volumes and snapshots.

Encryption operations occur on the servers that host EC2 instances, ensuring the security of both data-at-rest and data-in-transit between an instance and its attached EBS storage.

You can attach both encrypted and unencrypted volumes to an instance simultaneously. All Amazon EC2 instance types support Amazon EBS encryption.

**Topics**
+ [

# How Amazon EBS encryption works
](how-ebs-encryption-works.md)
+ [

# Requirements for Amazon EBS encryption
](ebs-encryption-requirements.md)
+ [

# Enable Amazon EBS encryption by default
](encryption-by-default.md)
+ [

## Encrypt EBS resources
](#encryption-parameters)
+ [

# Rotate AWS KMS keys used for Amazon EBS encryption
](kms-key-rotation.md)
+ [

# Amazon EBS encryption examples
](encryption-examples.md)

# How Amazon EBS encryption works
<a name="how-ebs-encryption-works"></a>

You can encrypt both the boot and data volumes of an EC2 instance.

When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted:
+ Data at rest inside the volume
+ All data moving between the volume and the instance
+ All snapshots created from the volume
+ All volumes created from those snapshots

Amazon EBS encrypts your volume with a [data key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys) using industry-standard AES-256 data encryption. The data key is generated by AWS KMS and then encrypted by AWS KMS with a AWS KMS key prior to being stored with your volume information. Amazon EBS automatically creates a unique AWS managed key in each Region where you create Amazon EBS resources. The [alias](https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html) for the KMS key is `aws/ebs`. By default, Amazon EBS uses this KMS key for encryption. Alternatively, you can use a symmetric customer managed encryption key that you create. Using your own KMS key gives you more flexibility, including the ability to create, rotate, and disable KMS keys.

Amazon EC2 works with AWS KMS to encrypt and decrypt your EBS volumes in slightly different ways depending on whether the snapshot from which you create an encrypted volume is encrypted or unencrypted.

## How EBS encryption works when the snapshot is encrypted
<a name="how-ebs-encryption-works-encrypted-snapshot"></a>

When you create an encrypted volume from an encrypted snapshot that you own, Amazon EC2 works with AWS KMS to encrypt and decrypt your EBS volumes as follows:

1. Amazon EC2 sends a [GenerateDataKeyWithoutPlaintext](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html) request to AWS KMS, specifying the KMS key that you chose for volume encryption.

1. If the volume is encrypted using the same KMS key as the snapshot, AWS KMS uses the same data key as the snapshot and encrypts it under that same KMS key. If the volume is encrypted using a different KMS key, AWS KMS generates a new data key and encrypts it under the KMS key that you specified. The encrypted data key is sent to Amazon EBS to be stored with the volume metadata.

1. When you attach the encrypted volume to an instance, Amazon EC2 sends a [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) request to AWS KMS so that it can decrypt the data key.

1. AWS KMS decrypts the encrypted data key and sends the decrypted data key to Amazon EC2.

1. Amazon EC2 uses the plaintext data key in the Nitro hardware to encrypt disk I/O to the volume. The plaintext data key persists in memory as long as the volume is attached to the instance.

## How EBS encryption works when the snapshot is unencrypted
<a name="how-ebs-encryption-works-unencrypted-snapshot"></a>

When you create an encrypted volume from unencrypted snapshot, Amazon EC2 works with AWS KMS to encrypt and decrypt your EBS volumes as follows:

1. Amazon EC2 sends a [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) request to AWS KMS, so that it can encrypt the volume that is created from the snapshot.

1. Amazon EC2 sends a [GenerateDataKeyWithoutPlaintext](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html) request to AWS KMS, specifying the KMS key that you chose for volume encryption.

1. AWS KMS generates a new data key, encrypts it under the KMS key that you chose for volume encryption, and sends the encrypted data key to Amazon EBS to be stored with the volume metadata.

1. Amazon EC2 sends a [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) request to AWS KMS to decrypt the encrypted data key, which it then uses to encrypt the volume data.

1. When you attach the encrypted volume to an instance, Amazon EC2 sends a [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) request to AWS KMS, so that it can decrypt the data key.

1. When you attach the encrypted volume to an instance, Amazon EC2 sends a [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) request to AWS KMS, specifying the encrypted data key.

1. AWS KMS decrypts the encrypted data key and sends the decrypted data key to Amazon EC2.

1. Amazon EC2 uses the plaintext data key in the Nitro hardware to encrypt disk I/O to the volume. The plaintext data key persists in memory as long as the volume is attached to the instance.

For more information, see [How Amazon Elastic Block Store (Amazon EBS) uses AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/services-ebs.html) and [Amazon EC2 example two](https://docs.aws.amazon.com/kms/latest/developerguide/ct-ec2two.html) in the *AWS Key Management Service Developer Guide*.

## How unusable KMS keys affect data keys
<a name="unusable-keys"></a>

When a KMS key becomes unusable, the effect is almost immediate (subject to eventual consistency). The key state of the KMS key changes to reflect its new condition, and all requests to use the KMS key in cryptographic operations fail.

When you perform an action that makes the KMS key unusable, there is no immediate effect on the EC2 instance or the attached EBS volumes. Amazon EC2 uses the data key, not the KMS key, to encrypt all disk I/O while the volume is attached to the instance.

However, when the encrypted EBS volume is detached from the EC2 instance, Amazon EBS removes the data key from the Nitro hardware. The next time the encrypted EBS volume is attached to an EC2 instance, the attachment fails, because Amazon EBS cannot use the KMS key to decrypt the volume's encrypted data key. To use the EBS volume again, you must make the KMS key usable again.

**Tip**  
If you no longer want access to data stored in an EBS volume encrypted with a data key generated from a KMS key that you intend to make unusable, we recommend that you detach the EBS volume from the EC2 instance before you make the KMS key unusable.

For more information, see [How unusable KMS keys affect data keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#unusable-kms-keys) in the *AWS Key Management Service Developer Guide*.

# Requirements for Amazon EBS encryption
<a name="ebs-encryption-requirements"></a>

Before you begin, verify that the following requirements are met.

**Topics**
+ [

## Supported volume types
](#ebs-encryption-volume-types)
+ [

## Supported instance types
](#ebs-encryption_supported_instances)
+ [

## Permissions for users
](#ebs-encryption-permissions)
+ [

## Permissions for instances
](#ebs-encryption-instance-permissions)

## Supported volume types
<a name="ebs-encryption-volume-types"></a>

Encryption is supported by all EBS volume types. You can expect the same IOPS performance on encrypted volumes as on unencrypted volumes, with a minimal effect on latency. You can access encrypted volumes the same way that you access unencrypted volumes. Encryption and decryption are handled transparently, and they require no additional action from you or your applications.

## Supported instance types
<a name="ebs-encryption_supported_instances"></a>

Amazon EBS encryption is available on all [ current generation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#current-gen-instances) and [ previous generation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#previous-gen-instances) instance types.

## Permissions for users
<a name="ebs-encryption-permissions"></a>

When you use a KMS key for EBS encryption, the KMS key policy allows any user with access to the required AWS KMS actions to use this KMS key to encrypt or decrypt EBS resources. You must grant users permission to call the following actions in order to use EBS encryption:
+ `kms:CreateGrant`
+ `kms:Decrypt`
+ `kms:DescribeKey`
+ `kms:GenerateDataKeyWithoutPlainText`
+ `kms:ReEncrypt`

**Tip**  
To follow the principle of least privilege, do not allow full access to `kms:CreateGrant`. Instead, use the `kms:GrantIsForAWSResource` condition key to allow the user to create grants on the KMS key only when the grant is created on the user's behalf by an AWS service, as shown in the following example.

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "kms:CreateGrant",
            "Resource": [
                "arn:aws:kms:us-east-2:123456789012:key/abcd1234-a123-456d-a12b-a123b4cd56ef"
            ],
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": true
                }
            }
        }
    ]
}
```

------

For more information, see [Allows access to the AWS account and enables IAM policies](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) in the **Default key policy** section in the *AWS Key Management Service Developer Guide*.

## Permissions for instances
<a name="ebs-encryption-instance-permissions"></a>

When an instance attempts to interact with an encrypted AMI, volume, or snapshot, a KMS key grant is issued to the instance's identity-only role. The identity-only role is an IAM role that is used by the instance to interact with encrypted AMIs, volumes, or snapshots on your behalf. 

Identity-only roles do not need to be manually created or deleted, and they have no policies associated with them. Additionally, you can't access the identity-only role credentials.

**Note**  
Identity-only roles are not used by applications on your instance to access other AWS KMS encrypted resources, such as Amazon S3 objects or Dynamo DB tables. These operations are done using the credentials of an Amazon EC2 instance role, or other AWS credentials that you have configured on your instance.

Identity-only roles are subject to [service control policies](https://docs.aws.amazon.com//organizations/latest/userguide/orgs_manage_policies_scps.html) (SCPs), and [KMS key policies](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html). If an SCP or KMS key denies the identity-only role access to a KMS key, you may fail to launch EC2 instances with encrypted volumes, or using encrypted AMIs or snapshots.

If you are creating an SCP or key policy that denies access based on network location using the `aws:SourceIp`, `aws:VpcSourceIp`, `aws:SourceVpc`, or `aws:SourceVpce` AWS global condition keys, then you must ensure that these policy statements do not apply to instance-only roles. For example policies, see [Data Perimeter Policy Examples](https://github.com/aws-samples/data-perimeter-policy-examples/tree/main).

Identity-only role ARNs use the following format:

```
arn:aws-partition:iam::account_id:role/aws:ec2-infrastructure/instance_id
```

When a key grant is issued to an instance, the key grant is issued to the assumed-role session specific to that instance. The grantee principal ARN uses the following format:

```
arn:aws-partition:sts::account_id:assumed-role/aws:ec2-infrastructure/instance_id
```

# Enable Amazon EBS encryption by default
<a name="encryption-by-default"></a>

You can configure your AWS account to enforce the encryption of the new EBS volumes and snapshot copies that you create. For example, Amazon EBS encrypts the EBS volumes created when you launch an instance and the snapshots that you copy from an unencrypted snapshot. For examples of transitioning from unencrypted to encrypted EBS resources, see [Encrypt unencrypted resources](ebs-encryption.md#encrypt-unencrypted).

Encryption by default has no effect on existing EBS volumes or snapshots.

**Considerations**
+ Encryption by default is a Region-specific setting. If you enable it for a Region, you cannot disable it for individual volumes or snapshots in that Region.
+ Amazon EBS encryption by default is supported on all [ current generation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#current-gen-instances) and [ previous generation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#previous-gen-instances) instance types.
+ If you copy a snapshot and encrypt it to a new KMS key, a complete (non-incremental) copy is created. This results in additional storage costs.

------
#### [ Console ]

**To enable encryption by default for a Region**

1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).

1. From the navigation bar, select the Region.

1. From the navigation pane, select **EC2 Dashboard**.

1. In the upper-right corner of the page, choose **Account Attributes**, **Data protection and security**.

1. In the **EBS encryption** section, choose **Manage**.

1. Select **Enable**. You keep the AWS managed key with the alias `aws/ebs` created on your behalf as the default encryption key, or choose a symmetric customer managed encryption key.

1. Choose **Update EBS encryption**.

------
#### [ AWS CLI ]

**To view the encryption by default setting**

Use the [get-ebs-encryption-by-default](https://docs.aws.amazon.com/cli/latest/reference/ec2/get-ebs-encryption-by-default.html) command.
+ For a specific Region

  ```
  aws ec2 get-ebs-encryption-by-default --region region
  ```
+ For all Regions in your account

  ```
  echo -e "Region      \t Encrypt \t Key"; \
  echo -e "----------- \t ------- \t -------" ; \
  for region in $(aws ec2 describe-regions --region us-east-1 --query "Regions[*].[RegionName]" --output text);
  do
      default=$(aws ec2 get-ebs-encryption-by-default --region $region --query "{Encryption_By_Default:EbsEncryptionByDefault}" --output text); 
      kms_key=$(aws ec2 get-ebs-default-kms-key-id --region $region | jq '.KmsKeyId'); 
      echo -e "$region \t $default \t\t $kms_key"; 
  done
  ```

**To enable encryption by default**

Use the [enable-ebs-encryption-by-default](https://docs.aws.amazon.com/cli/latest/reference/ec2/enable-ebs-encryption-by-default.html) command.
+ For a specific Region

  ```
  aws ec2 enable-ebs-encryption-by-default --region region
  ```
+ For all Regions in your account

  ```
  echo -e "Region      \t Encrypt \t Key"; \
  echo -e "----------- \t ------- \t -------" ; \
  for region in $(aws ec2 describe-regions --region us-east-1 --query "Regions[*].[RegionName]" --output text); 
  do
      default=$(aws ec2 enable-ebs-encryption-by-default --region $region --query "{Encryption_By_Default:EbsEncryptionByDefault}" --output text); 
      kms_key=$(aws ec2 get-ebs-default-kms-key-id --region $region | jq '.KmsKeyId'); 
      echo -e "$region \t $default \t\t $kms_key"; 
  done
  ```

**To disable encryption by default**

Use the [disable-ebs-encryption-by-default](https://docs.aws.amazon.com/cli/latest/reference/ec2/disable-ebs-encryption-by-default.html) command.
+ For a specific Region

  ```
  aws ec2 disable-ebs-encryption-by-default --region region
  ```
+ For all Regions in your account

  ```
  echo -e "Region      \t Encrypt \t Key"; \
  echo -e "----------- \t ------- \t -------" ; \
  for region in $(aws ec2 describe-regions --region us-east-1 --query "Regions[*].[RegionName]" --output text); 
  do
      default=$(aws ec2 disable-ebs-encryption-by-default --region $region --query "{Encryption_By_Default:EbsEncryptionByDefault}" --output text); 
      kms_key=$(aws ec2 get-ebs-default-kms-key-id --region $region | jq '.KmsKeyId'); 
      echo -e "$region \t $default \t\t $kms_key"; 
  done
  ```

------
#### [ PowerShell ]

**To view the encryption by default setting**

Use the [Get-EC2EbsEncryptionByDefault](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-EC2EbsEncryptionByDefault.html) cmdlet.
+ For a specific Region

  ```
  Get-EC2EbsEncryptionByDefault -Region region
  ```
+ For all Regions in your account

  ```
  (Get-EC2Region).RegionName |
      ForEach-Object {
      [PSCustomObject]@{ 
          Region                    = $_
          EC2EbsEncryptionByDefault = Get-EC2EbsEncryptionByDefault -Region $_
          EC2EbsDefaultKmsKeyId     = Get-EC2EbsDefaultKmsKeyId -Region $_ 
      } } |
      Format-Table -AutoSize
  ```

**To enable encryption by default**

Use the [Enable-EC2EbsEncryptionByDefault](https://docs.aws.amazon.com/powershell/latest/reference/items/Enable-EC2EbsEncryptionByDefault.html) cmdlet.
+ For a specific Region

  ```
  Enable-EC2EbsEncryptionByDefault -Region region
  ```
+ For all Regions in your account

  ```
  (Get-EC2Region).RegionName |
      ForEach-Object { 
      [PSCustomObject]@{
          Region                    = $_
          EC2EbsEncryptionByDefault = Enable-EC2EbsEncryptionByDefault -Region $_
          EC2EbsDefaultKmsKeyId     = Get-EC2EbsDefaultKmsKeyId -Region $_ 
      } } |
      Format-Table -AutoSize
  ```

**To disable encryption by default**

Use the [Disable-EC2EbsEncryptionByDefault](https://docs.aws.amazon.com/powershell/latest/reference/items/Disable-EC2EbsEncryptionByDefault.html) cmdlet.
+ For a specific Region

  ```
  Disable-EC2EbsEncryptionByDefault -Region region
  ```
+ For all Regions in your account

  ```
  (Get-EC2Region).RegionName |
      ForEach-Object { 
      [PSCustomObject]@{
          Region                    = $_
          EC2EbsEncryptionByDefault = Disable-EC2EbsEncryptionByDefault -Region $_
          EC2EbsDefaultKmsKeyId     = Get-EC2EbsDefaultKmsKeyId -Region $_ 
      } } |
      Format-Table -AutoSize
  ```

------

You can't change the KMS key that is associated with an existing snapshot or encrypted volume. However, you can associate a different KMS key during a snapshot copy operation so that the resulting copied snapshot is encrypted by the new KMS key.

## Encrypt EBS resources
<a name="encryption-parameters"></a>

You encrypt EBS volumes by enabling encryption, either using [encryption by default](encryption-by-default.md) or by enabling encryption when you create a volume that you want to encrypt.

When you encrypt a volume, you can specify the symmetric encryption KMS key to use to encrypt the volume. If you do not specify a KMS key, the KMS key that is used for encryption depends on the encryption state of the source snapshot and its ownership. For more information, see the [encryption outcomes table](encryption-examples.md#ebs-volume-encryption-outcomes).

**Note**  
If you are using the API or AWS CLI to specify a KMS key, be aware that AWS authenticates the KMS key asynchronously. If you specify a KMS key ID, an alias, or an ARN that is not valid, the action can appear to complete, but it eventually fails.

You cannot change the KMS key that is associated with an existing snapshot or volume. However, you can associate a different KMS key during a snapshot copy operation so that the resulting copied snapshot is encrypted by the new KMS key.

### Encrypt an empty volume on creation
<a name="new-encrypted-volumes"></a>

When you create a new, empty EBS volume, you can encrypt it by enabling encryption for the specific volume creation operation. If you enabled EBS encryption by default, the volume is automatically encrypted using your default KMS key for EBS encryption. Alternatively, you can specify a different symmetric encryption KMS key for the specific volume creation operation. The volume is encrypted by the time it is first available, so your data is always secured. For detailed procedures, see [Create an Amazon EBS volume](ebs-creating-volume.md).

By default, the KMS key that you selected when creating a volume encrypts the snapshots that you make from the volume and the volumes that you restore from those encrypted snapshots. You cannot remove encryption from an encrypted volume or snapshot, which means that a volume restored from an encrypted snapshot, or a copy of an encrypted snapshot, is always encrypted.

Public snapshots of encrypted volumes are not supported, but you can share an encrypted snapshot with specific accounts. For detailed directions, see [Share an Amazon EBS snapshot with other AWS accounts](ebs-modifying-snapshot-permissions.md).

### Encrypt unencrypted resources
<a name="encrypt-unencrypted"></a>

You can't directly encrypt existing unencrypted volumes or snapshots.

To encrypt an unencrypted volume, create a snapshot of that volume, and then use the snapshot to create a new encrypted volume. For more information, see [Create snapshots](ebs-create-snapshot.md) and [Create a volume](ebs-creating-volume.md).

To encrypt an unencrypted snapshot, create an encrypted copy of that snapshot. For more information, see [Copy a snapshot](ebs-copy-snapshot.md).

If you enable your account for encryption by default, volumes and snapshot copies created from unencrypted snapshots are always encrypted. Otherwise, you must specify the encryption parameters in the request. For more information, see [Enable encryption by default](encryption-by-default.md).

# Rotate AWS KMS keys used for Amazon EBS encryption
<a name="kms-key-rotation"></a>

Cryptographic best practices discourage extensive reuse of encryption keys.

To create new cryptographic material for use with Amazon EBS encryption, you can either create a new customer managed key, and then change your applications to use that new KMS key. Or, you can enable automatic key rotation for an existing customer managed key.

When you enable automatic key rotation for a customer managed key, AWS KMS generates new cryptographic material for the KMS key every year. AWS KMS saves all previous versions of the cryptographic material so that you can continue to decrypt and use volumes and snapshots previously encrypted with that KMS key material. AWS KMS does not delete any rotated key material until you delete the KMS key.

When you use a rotated customer managed key to encrypt a new volume or snapshot, AWS KMS uses the current (new) key material. When you use a rotated customer managed key to decrypt a volume or snapshot, AWS KMS uses the version of the cryptographic material that was used to encrypt it. If a volume or snapshot is encrypted with a previous version of the cryptographic material, AWS KMS continues to use that previous version to decrypt it. AWS KMS does not re-encrypt previously encrypted volumes or snapshots to use the new cryptographic material after a key rotation. They remain encrypted with the cryptographic material with which they were originally encrypted. You can safely use a rotated customer managed key in applications and AWS services without code changes.

**Note**  
Automatic key rotation is supported only for symmetric customer managed keys with key material that AWS KMS creates.
AWS KMS automatically rotates AWS managed keys every year. You can't enable or disable key rotation for AWS managed keys.

For more information, see [ Rotating KMS key](https://docs.aws.amazon.com//kms/latest/developerguide/rotate-keys.html#rotate-keys-how-it-works) in the *AWS Key Management Service Developer Guide*.

# Amazon EBS encryption examples
<a name="encryption-examples"></a>

When you create an encrypted EBS resource, it is encrypted by your account's default KMS key for EBS encryption unless you specify a different customer managed key in the volume creation parameters or the block device mapping for the AMI or instance.

The following examples illustrate how you can manage the encryption state of your volumes and snapshots. For a full list of encryption cases, see the [encryption outcomes table](#ebs-volume-encryption-outcomes).

**Topics**
+ [

## Restore an unencrypted volume (encryption by default not enabled)
](#volume-account-off)
+ [

## Restore an unencrypted volume (encryption by default enabled)
](#volume-account-on)
+ [

## Copy an unencrypted snapshot (encryption by default not enabled)
](#snapshot-account-off)
+ [

## Copy an unencrypted snapshot (encryption by default enabled)
](#snapshot-account-on)
+ [

## Re-encrypt an encrypted volume
](#reencrypt-volume)
+ [

## Re-encrypt an encrypted snapshot
](#reencrypt-snapshot)
+ [

## Migrate data between encrypted and unencrypted volumes
](#migrate-data-encrypted-unencrypted)
+ [

## Encryption outcomes
](#ebs-volume-encryption-outcomes)

## Restore an unencrypted volume (encryption by default not enabled)
<a name="volume-account-off"></a>

Without encryption by default enabled, a volume restored from an unencrypted snapshot is unencrypted by default. However, you can encrypt the resulting volume by setting the `Encrypted` parameter and, optionally, the `KmsKeyId` parameter. The following diagram illustrates the process.

![\[When you create a volume from an unencrypted snapshot, specify a KMS key to create an encrypted volume.\]](http://docs.aws.amazon.com/ebs/latest/userguide/images/volume-encrypt-account-off.png)


If you leave out the `KmsKeyId` parameter, the resulting volume is encrypted using your default KMS key for EBS encryption. You must specify a KMS key ID to encrypt the volume to a different KMS key.

For more information, see [Create an Amazon EBS volume](ebs-creating-volume.md).

## Restore an unencrypted volume (encryption by default enabled)
<a name="volume-account-on"></a>

When you have enabled encryption by default, encryption is mandatory for volumes restored from unencrypted snapshots, and no encryption parameters are required for your default KMS key to be used. The following diagram shows this simple default case:

![\[When you create a volume from an unencrypted snapshot but encryption by default is enabled, we use the default KMS key to create an encrypted volume.\]](http://docs.aws.amazon.com/ebs/latest/userguide/images/volume-encrypt-account-on.png)


If you want to encrypt the restored volume to a symmetric customer managed encryption key, you must supply both the `Encrypted` and `KmsKeyId` parameters as shown in [Restore an unencrypted volume (encryption by default not enabled)](#volume-account-off).

## Copy an unencrypted snapshot (encryption by default not enabled)
<a name="snapshot-account-off"></a>

Without encryption by default enabled, a copy of an unencrypted snapshot is unencrypted by default. However, you can encrypt the resulting snapshot by setting the `Encrypted` parameter and, optionally, the `KmsKeyId` parameter. If you omit `KmsKeyId`, the resulting snapshot is encrypted by your default KMS key. You must specify a KMS key ID to encrypt the volume to a different symmetric encryption KMS key.

The following diagram illustrates the process.

![\[Create an encrypted snapshot from an unencrypted snapshot.\]](http://docs.aws.amazon.com/ebs/latest/userguide/images/snapshot-encrypt-account-off.png)


You can encrypt an EBS volume by copying an unencrypted snapshot to an encrypted snapshot and then creating a volume from the encrypted snapshot. For more information, see [Copy an Amazon EBS snapshot](ebs-copy-snapshot.md).

## Copy an unencrypted snapshot (encryption by default enabled)
<a name="snapshot-account-on"></a>

When you have enabled encryption by default, encryption is mandatory for copies of unencrypted snapshots, and no encryption parameters are required if your default KMS key is used. The following diagram illustrates this default case:

![\[Create an encrypted snapshot from an unencrypted snapshot.\]](http://docs.aws.amazon.com/ebs/latest/userguide/images/snapshot-encrypt-account-on.png)


## Re-encrypt an encrypted volume
<a name="reencrypt-volume"></a>

When the `CreateVolume` action operates on an encrypted snapshot, you have the option of re-encrypting it with a different KMS key. The following diagram illustrates the process. In this example, you own two KMS keys, KMS key A and KMS key B. The source snapshot is encrypted by KMS key A. During volume creation, with the KMS key ID of KMS key B specified as a parameter, the source data is automatically decrypted, then re-encrypted by KMS key B.

![\[Copy an encrypted snapshot and encrypt the copy to a new KMS key.\]](http://docs.aws.amazon.com/ebs/latest/userguide/images/volume-reencrypt.png)


For more information, see [Create an Amazon EBS volume](ebs-creating-volume.md).

## Re-encrypt an encrypted snapshot
<a name="reencrypt-snapshot"></a>

The ability to encrypt a snapshot during copying allows you to apply a new symmetric encryption KMS key to an already-encrypted snapshot that you own. Volumes restored from the resulting copy are only accessible using the new KMS key. The following diagram illustrates the process. In this example, you own two KMS keys, KMS key A and KMS key B. The source snapshot is encrypted by KMS key A. During copy, with the KMS key ID of KMS key B specified as a parameter, the source data is automatically re-encrypted by KMS key B.

![\[Copy an encrypted snapshot and encrypt the copy to a new KMS key.\]](http://docs.aws.amazon.com/ebs/latest/userguide/images/snap-reencrypt.png)


In a related scenario, you can choose to apply new encryption parameters to a copy of a snapshot that has been shared with you. By default, the copy is encrypted with a KMS key shared by the snapshot's owner. However, we recommend that you create a copy of the shared snapshot using a different KMS key that you control. This protects your access to the volume if the original KMS key is compromised, or if the owner revokes the KMS key for any reason. For more information, see [Encryption and snapshot copying](ebs-copy-snapshot.md#creating-encrypted-snapshots).

## Migrate data between encrypted and unencrypted volumes
<a name="migrate-data-encrypted-unencrypted"></a>

When you have access to both an encrypted and unencrypted volume, you can freely transfer data between them. EC2 carries out the encryption and decryption operations transparently.

### Linux instances
<a name="migrate-data-encrypted-unencrypted-lin"></a>

For example, use the **rsync** command to copy the data. In the following command, the source data is located in `/mnt/source` and the destination volume is mounted at `/mnt/destination`.

```
[ec2-user ~]$ sudo rsync -avh --progress /mnt/source/ /mnt/destination/
```

### Windows instances
<a name="migrate-data-encrypted-unencrypted-win"></a>

For example, use the **robocopy** command to copy the data. In the following command, the source data is located in `D:\` and the destination volume is mounted at `E:\`.

```
PS C:\> robocopy D:\sourcefolder E:\destinationfolder /e /copyall /eta
```

We recommend using folders rather than copying an entire volume, as this avoids potential problems with hidden folders.

## Encryption outcomes
<a name="ebs-volume-encryption-outcomes"></a>



The following table describes the encryption outcome for each possible combination of settings.

[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/ebs/latest/userguide/encryption-examples.html)

\$1 This is the default customer managed key used for EBS encryption for the AWS account and Region. By default this is a unique AWS managed key for EBS, or you can specify a customer managed key.

\$1\$1 This is a customer managed key specified for the volume at launch time. This customer managed key is used instead of the default customer managed key for the AWS account and Region.