diff --git a/library/cloud/ec2_vol b/library/cloud/ec2_vol
index 54505680694..49d3a601430 100644
--- a/library/cloud/ec2_vol
+++ b/library/cloud/ec2_vol
@@ -55,6 +55,11 @@ options:
     default: 100
     aliases: []
     version_added: "1.3"
+  encrypted:
+    description:
+      - Enable encryption at rest for this volume.
+    default: false
+    version_added: "1.8"
   device_name:
     description:
       - device id to override device mapping. Assumes /dev/sdf for Linux/UNIX and /dev/xvdf for Windows.
@@ -178,6 +183,8 @@ EXAMPLES = '''
 import sys
 import time
 
+from distutils.version import LooseVersion
+
 try:
     import boto.ec2
 except ImportError:
@@ -230,12 +237,21 @@ def delete_volume(module, ec2):
        ec2.delete_volume(vol.id)
        module.exit_json(changed=True)
 
+def boto_supports_volume_encryption():
+    """
+    Check if Boto library supports encryption of EBS volumes (added in 2.29.0)
+
+    Returns:
+        True if boto library has the named param as an argument on the request_spot_instances method, else False
+    """
+    return hasattr(boto, 'Version') and LooseVersion(boto.Version) >= LooseVersion('2.29.0')
 
 def create_volume(module, ec2, zone):
     name = module.params.get('name')
     id = module.params.get('id')
     instance = module.params.get('instance')
     iops = module.params.get('iops')
+    encrypted = module.params.get('encrypted')
     volume_size = module.params.get('volume_size')
     snapshot = module.params.get('snapshot')
     # If custom iops is defined we use volume_type "io1" rather than the default of "standard"
@@ -265,7 +281,11 @@ def create_volume(module, ec2, zone):
                                  changed=False)
     else:
         try:
-            volume = ec2.create_volume(volume_size, zone, snapshot, volume_type, iops)
+            if boto_supports_volume_encryption():
+                volume = ec2.create_volume(volume_size, zone, snapshot, volume_type, iops, encrypted)
+            else:
+                volume = ec2.create_volume(volume_size, zone, snapshot, volume_type, iops)
+
             while volume.status != 'available':
                 time.sleep(3)
                 volume.update()
@@ -319,6 +339,7 @@ def main():
             name = dict(),
             volume_size = dict(),
             iops = dict(),
+            encrypted = dict(),
             device_name = dict(),
             zone = dict(aliases=['availability_zone', 'aws_zone', 'ec2_zone']),
             snapshot = dict(),
@@ -332,6 +353,7 @@ def main():
     instance = module.params.get('instance')
     volume_size = module.params.get('volume_size')
     iops = module.params.get('iops')
+    encrypted = module.params.get('encrypted')
     device_name = module.params.get('device_name')
     zone = module.params.get('zone')
     snapshot = module.params.get('snapshot')
@@ -367,6 +389,9 @@ def main():
     if id and name:
         module.fail_json(msg="Both id and name cannot be specified")
 
+    if encrypted and not boto_supports_volume_encryption():
+        module.fail_json(msg="You must use boto >= v2.29.0 to use encrypted volumes")
+
     # Here we need to get the zone info for the instance. This covers situation where 
     # instance is specified but zone isn't.
     # Useful for playbooks chaining instance launch with volume create + attach and where the