The answer was taken from gitmemory
In order to encrypt an already created EBS Volume, you need to take a snapshot of it. Then, from the created snapshot, create a disk in the same region as the original one, and also specify the KMS key for encryption.
Then we save the manifest of the current PV to a file:
kubectl get pv <PV_NAME> -o yaml > /tmp/pv.yaml
We edit the file, replacing the ID of the original disk with the encrypted one.
Then apply the changes:
kubectl replace --cascade=false --force -f /tmp/pv.yaml
The previous command will "get stuck" on execution, as the "finalizers" parameter prevents it, so in the next tab we do the following:
kubectl edit pv <PV_NAME>
Find and remove the following:
finalizers: - kubernetes.io/pv-protection
We save the changes, after which the command in the previous tab should work successfully.
After that, patch the PVC to which this PV belongs:
kubectl patch pvc <PVC_NAME> -p '{"metadata":{"finalizers": []}}' --type=merge
Now all that’s left is to delete the pod that the PV is mounted to and make sure it is re-created with the new PV mounted. Also, do not forget about the rights to use KMS keys for the IAM role, which is attached to EKS nodes.