EBS encryption provides transparent AES-256 encryption for data at rest on EBS volumes, data in transit between the volume and the EC2 instance, all snapshots, and all volumes created from those snapshots. Encryption is handled by AWS KMS keys and has minimal impact on performance.
EBS encryption is a fully managed, transparent encryption solution. Once enabled, encryption and decryption happen automatically — your application and OS do not need to be modified. The encryption keys are managed by AWS KMS (Key Management Service), and all cryptographic operations happen on the EC2 host hardware (on Nitro instances), resulting in near-zero performance impact.
Data at rest — all data stored on the EBS volume is encrypted on disk
Data in transit — data moving between the EC2 instance and the EBS volume over the internal AWS network is encrypted
Snapshots — all snapshots taken from an encrypted volume are automatically encrypted
New volumes from snapshots — volumes created from an encrypted snapshot are automatically encrypted
Cross-account shared snapshots — encryption is preserved when sharing encrypted snapshots
AWS-managed key (aws/ebs) — default KMS key managed by AWS, no additional cost for key storage
Customer-managed key (CMK) — your own KMS key, giving you full control over key rotation, access policies, and auditing via CloudTrail. Additional KMS key cost applies.
Key rotation — AWS-managed keys are automatically rotated annually. Customer-managed keys can be set to auto-rotate annually or rotated manually.
You CANNOT encrypt an existing unencrypted volume directly — instead: take a snapshot → copy the snapshot with encryption enabled → create a new encrypted volume from the encrypted snapshot
You CANNOT turn off encryption on an encrypted volume
Encrypted snapshots can be shared but the recipient must have access to the KMS key used for encryption
Enable encryption by default at the account level so all new EBS volumes are automatically encrypted
There is no performance penalty for encryption on Nitro-based EC2 instances — AES-256 is accelerated in hardware