For a brand new EBS volume that has encryption enabled and connected to an EC2 instance, the EC2 instance will use the plaintext data key in hypervisor memory to encrypt disk I/O to the volume. This means all data in transit and written on EBS is encrypted. The data encryption process is driven from the EC2 instance in this case.
When an encrypted snapshot is created from an unencrypted snapshot, who is driving the encryption process? There is no EC2 instance involved at all driving encryption - Is it EBS itself driving the encryption in this case?
Similar to EC2 using data key to encrypt disk I/O to the volume, I wanted to know if EBS service ever use the stored (encrypted) data key for encrypting / decrypting or for anything else?