Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I unencrypt an encrypted EBS volume in Linux?

3 minute read
1

I want to unencrypt an Amazon Elastic Block Store (Amazon EBS) volume in Linux that I encrypted with a default or custom AWS Key Management Service (AWS KMS) key.

Resolution

Note: The following resolution uses a root volume as an example. You can also perform the following steps on a secondary volume.

To unencrypt your Amazon EBS volume, complete the following steps:

  1. Create a snapshot of the encrypted root volume, or create an Amazon Machine Image (AMI) of the instance with the encrypted volume.
    Note: It's a best practice to use snapshots and AMIs to back up your resources before you perform any major tasks.

  2. Open the Amazon Elastic Compute Cloud (Amazon EC2) console.

  3. Stop the instance with the encrypted root volume.

  4. On the Storage tab, note your root device's name, and then choose Volume ID.
    Note: The root device differs by AMI.

  5. Choose Actions, and then select Detach volume.

  6. Choose Detach, and then note the Availability Zone.

  7. Launch a rescue instance in the same Availability Zone as the original instance.
    Note: Use a similar operating system (OS) to the one that you used to launch the original instance.

  8. Choose Volumes, and then select the encrypted root volume.

  9. Choose Actions, and then choose Attach volume.

  10. For Instance, select the rescue instance ID.

  11. For Device name, choose /dev/xvdf or /dev/sdf.

  12. Create a new unencrypted volume in the same Availability Zone as the original encrypted volume.
    Important: To avoid data loss, confirm that your new volume size is larger than the size of the encrypted volume.

  13. Attach the new unencrypted volume to the rescue instance as /dev/xvdg or /dev/sdg.

  14. Connect to the rescue instance. Then, run the lsblk command to confirm that the root device and the attached volumes exist:

    lsblk

    Example output:

    NAME    MAJ:MIN RM SIZE RO TYPE MOUNTPOINTxvda    202:0    0   8G  0 disk   
└─xvda1 202:1    0   8G  0 part /  
xvdf    202:80   0   8G  0 disk   
└─xvdf1 202:81   0   8G  0 part   
xvdg    202:96   0   8G  0 disk

  15. To move the data from the original encrypted volume to the new unencrypted volume, run the dd command as a sudo or root user:

    dd if=/dev/xvdf of=/dev/xvdg bs=4096 status=progress

    Note: In the preceding command, the input file is /dev/xvdf and the output file is /dev/xvdg. The data transfer time varies based on the size and type of the volume and instance.

  16. Detach the new unencrypted /dev/xvdg volume from the rescue instance. Then, attach it to the original instance as /dev/xvda or /dev/sda1.

  17. Connect to the original instance to confirm that the instance reads the new unencrypted root volume.

  18. From the Amazon EC2 console, select the original instance, and then view the volume's properties to confirm that the root volume is unencrypted.
    Note: You might need to reboot or stop and start the instance to register the partition changes to the kernel.

  19. Repeat the process for other encrypted volumes on the original instance to create cloned volumes that are unencrypted.

  20. Terminate the rescue instance.

Topics
Storage
Tags
Amazon Elastic Block Store
Language
English

Related videos

Watch Mazhar's video to learn more (4:33)
Watch Mazhar's video to learn more (4:33)
AWS OFFICIALUpdated a month ago
2 Comments

Accurate instructions for the procedure, which worked well for me, but I think the navigation of the console and locations of items has changed since the article was published.

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

AWS
MODERATOR
replied a year ago

Relevant content