I am trying to create an EC2 instance (running Windows Server 2012 R2) with an encrypted EBS volume. I am using OpsWorks and there doesn't seem to be an option to create an EC2 instance with an encrypted volume. I am wondering if there is a way to do this without going through the process of creating a blank, encrypted volume, attaching it to the instance, and then copying everything over to the encrypted volume. I would prefer to not have to do that as it does not seem like a simple process.
Amazon Elastic Blocks Store (EBS) does not currently offer encryption for boot volumes.
From the EBS Encryption documentation page:
Encrypted boot volumes are not supported at this time.
So, it's not related specifically to OpsWorks, it applies to EBS as a whole.
This is possibly because snapshots would also be encrypted, so it would not be possible to create an AMI (since it uses a snapshot and would therefore be encrypted, too).
It is theoretically possible to create an encrypted boot volume by creating a blank encrypted volume, copying all the contents to the new volume and then attaching it as a boot volume. However, this would disallow use of an AMI.