diff --git a/pkg/model/awsmodel/spotinst.go b/pkg/model/awsmodel/spotinst.go
index 102fa4c530..8c88f49f26 100644
--- a/pkg/model/awsmodel/spotinst.go
+++ b/pkg/model/awsmodel/spotinst.go
@@ -712,6 +712,13 @@ func (b *SpotInstanceGroupModelBuilder) buildRootVolumeOpts(ig *kops.InstanceGro
 		}
 	}
 
+	// Encryption.
+	{
+		if fi.BoolValue(ig.Spec.RootVolumeEncryption) {
+			opts.Encryption = ig.Spec.RootVolumeEncryption
+		}
+	}
+
 	// Size.
 	{
 		size := fi.Int32Value(ig.Spec.RootVolumeSize)
diff --git a/upup/pkg/fi/cloudup/spotinsttasks/elastigroup.go b/upup/pkg/fi/cloudup/spotinsttasks/elastigroup.go
index c0bb502dfb..ab0af7ee21 100644
--- a/upup/pkg/fi/cloudup/spotinsttasks/elastigroup.go
+++ b/upup/pkg/fi/cloudup/spotinsttasks/elastigroup.go
@@ -79,6 +79,7 @@ type RootVolumeOpts struct {
 	IOPS         *int64
 	Throughput   *int64
 	Optimization *bool
+	Encryption   *bool
 }
 
 type AutoScalerOpts struct {
@@ -306,6 +307,9 @@ func (e *Elastigroup) Find(c *fi.Context) (*Elastigroup, error) {
 						if b.EBS.Throughput != nil {
 							actual.RootVolumeOpts.Throughput = fi.Int64(int64(fi.IntValue(b.EBS.Throughput)))
 						}
+						if b.EBS.Encrypted != nil {
+							actual.RootVolumeOpts.Encryption = b.EBS.Encrypted
+						}
 					}
 				}
 			}
@@ -1394,6 +1398,7 @@ type terraformElastigroupBlockDevice struct {
 	VolumeSize          *int64  `cty:"volume_size"`
 	VolumeIOPS          *int64  `cty:"iops"`
 	VolumeThroughput    *int64  `cty:"throughput"`
+	Encrypted           *bool   `cty:"encrypted"`
 	DeleteOnTermination *bool   `cty:"delete_on_termination"`
 }
 
@@ -1594,6 +1599,7 @@ func (_ *Elastigroup) RenderTerraform(t *terraform.TerraformTarget, a, e, change
 					VolumeSize:          rootDevice.EbsVolumeSize,
 					VolumeIOPS:          rootDevice.EbsVolumeIops,
 					VolumeThroughput:    rootDevice.EbsVolumeThroughput,
+					Encrypted:           rootDevice.EbsEncrypted,
 					DeleteOnTermination: fi.Bool(true),
 				}
 
@@ -1780,6 +1786,7 @@ func buildRootDevice(cloud awsup.AWSCloud, volumeOpts *RootVolumeOpts,
 		DeviceName:             img.RootDeviceName,
 		EbsVolumeSize:          volumeOpts.Size,
 		EbsVolumeType:          volumeOpts.Type,
+		EbsEncrypted:           volumeOpts.Encryption,
 		EbsDeleteOnTermination: fi.Bool(true),
 	}
 
@@ -1806,6 +1813,7 @@ func (e *Elastigroup) convertBlockDeviceMapping(in *awstasks.BlockDeviceMapping)
 		out.EBS = &aws.EBS{
 			VolumeType:          in.EbsVolumeType,
 			VolumeSize:          fi.Int(int(fi.Int64Value(in.EbsVolumeSize))),
+			Encrypted:           in.EbsEncrypted,
 			DeleteOnTermination: in.EbsDeleteOnTermination,
 		}
 
diff --git a/upup/pkg/fi/cloudup/spotinsttasks/launch_spec.go b/upup/pkg/fi/cloudup/spotinsttasks/launch_spec.go
index 14a9b9580d..54ac0459e7 100644
--- a/upup/pkg/fi/cloudup/spotinsttasks/launch_spec.go
+++ b/upup/pkg/fi/cloudup/spotinsttasks/launch_spec.go
@@ -220,6 +220,9 @@ func (o *LaunchSpec) Find(c *fi.Context) (*LaunchSpec, error) {
 					if b.EBS.Throughput != nil {
 						actual.RootVolumeOpts.Throughput = fi.Int64(int64(fi.IntValue(b.EBS.Throughput)))
 					}
+					if b.EBS.Encrypted != nil {
+						actual.RootVolumeOpts.Encryption = b.EBS.Encrypted
+					}
 				}
 			}
 		}
@@ -876,6 +879,7 @@ type terraformBlockDeviceMappingEBS struct {
 	VolumeSize          *int64  `cty:"volume_size"`
 	VolumeIOPS          *int64  `cty:"iops"`
 	VolumeThroughput    *int64  `cty:"throughput"`
+	Encrypted           *bool   `cty:"encrypted"`
 	DeleteOnTermination *bool   `cty:"delete_on_termination"`
 }
 
@@ -981,6 +985,7 @@ func (_ *LaunchSpec) RenderTerraform(t *terraform.TerraformTarget, a, e, changes
 				VolumeSize:          rootDevice.EbsVolumeSize,
 				VolumeIOPS:          rootDevice.EbsVolumeIops,
 				VolumeThroughput:    rootDevice.EbsVolumeThroughput,
+				Encrypted:           rootDevice.EbsEncrypted,
 				DeleteOnTermination: fi.Bool(true),
 			},
 		})