EKS – Encrypt current PV (EBS Volume)

The answer was taken from gitmemory

In order to encrypt an already created EBS Volume, you need to take a snapshot of it. Then, from the created snapshot, create a disk in the same region as the original one, and also specify the KMS key for encryption.

Then we save the manifest of the current PV to a file:

kubectl get pv <PV_NAME> -o yaml > /tmp/pv.yaml


We edit the file, replacing the ID of the original disk with the encrypted one.

Then apply the changes:

kubectl replace --cascade=false --force -f /tmp/pv.yaml


The previous command will “get stuck” on execution, as the “finalizers” parameter prevents it, so in the next tab we do the following:

kubectl edit pv <PV_NAME>


Find and remove the following:

  - kubernetes.io/pv-protection


We save the changes, after which the command in the previous tab should work successfully.


After that, patch the PVC to which this PV belongs:

kubectl patch pvc <PVC_NAME> -p '{"metadata":{"finalizers": []}}' --type=merge


Now all that’s left is to delete the pod that the PV is mounted to and make sure it is re-created with the new PV mounted. Also, do not forget about the rights to use KMS keys for the IAM role, which is attached to EKS nodes.

Tagged: Tags

Notify of

Inline Feedbacks
View all comments