With Amazon EBS encryption, you aren't required to build, maintain, and secure your own key management infrastructure.
Amazon EBS encryption uses AWS Key Management Service (AWS KMS) customer master keys (CMK) when creating encrypted volumes and snapshots.
Encryption operations occur on the servers that host EC2 instances, ensuring the security of both data-at-rest and data-in-transit between an instance and its attached EBS storage.
You can attach both encrypted and unencrypted volumes to an instance simultaneously.
Snapshots of encrypted volumes are encrypted.
How does EBS encryption work?
You can encrypt both the boot and data volumes of an EC2 instance.
EBS encrypts your volume with a data key using the industry-standard AES-256 algorithm.
Your data key is stored on-disk with your encrypted data, but not before EBS encrypts it with your CMK.
Your data key never appears on disk in plaintext.
The same data key is shared by snapshots of the volume and any subsequent volumes created from those snapshots.
Encrypting unencrypted volumes
There is no direct way to encrypt an existing unencrypted volume or snapshot.
However, you can do the following:
1. Create a snapshot of the unencrypted volume.
2. Encrypt the snapshot (using copy).
3. Restore an EBS volume from the encrypted snapshot.
4. Attach the encrypted volume to the EC2 instance.