diff --git a/requirements.txt b/requirements.txt
index 2aa7e05..99ffb2a 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,7 +1,7 @@
 ansible>=2.1
 dopy==0.3.5
-boto
-azure==2.0.0rc5
+boto>=2.5
+azure>=2.0.0rc5
 apache-libcloud
 six
 pyopenssl
diff --git a/roles/cloud-ec2/tasks/encrypt_image.yml b/roles/cloud-ec2/tasks/encrypt_image.yml
new file mode 100644
index 0000000..ce4406f
--- /dev/null
+++ b/roles/cloud-ec2/tasks/encrypt_image.yml
@@ -0,0 +1,72 @@
+- name: Locate official Ubuntu 16.04 AMI for region
+  ec2_ami_find:
+    aws_access_key: "{{ aws_access_key }}"
+    aws_secret_key: "{{ aws_secret_key }}"
+    name: "ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"
+    owner:  099720109477
+    sort: name
+    sort_order: descending
+    sort_end: 1
+    region: "{{ region }}"
+  register: ami_search
+
+- set_fact:
+    source_ami_image: "{{ ami_search.results[0].ami_id }}"
+
+#
+# https://github.com/ansible/ansible-modules-extras/issues/3565
+#
+#- name: Copy to an encrypted image
+  #ec2_ami_copy:
+    #aws_access_key: "{{ aws_access_key }}"
+    #aws_secret_key: "{{ aws_secret_key }}"
+    #description: ENC_IMAGE
+    #encrypted: yes
+    #name: newimage
+    #region: "{{ region }}"
+    #source_image_id: "{{ source_ami_image }}"
+    #source_region: "{{ region }}"
+  #register:   ec2_ami_copy
+  #when: ami_encrypted_tag is not defined or (ami_encrypted_tag is defined and ami_encrypted_tag != true)
+#- debug: var=ec2_ami_copy
+
+#
+# https://github.com/ansible/ansible-modules-extras/issues/3565
+#
+- name: Copy to an encrypted image
+  shell: >
+    aws ec2 copy-image --source-region '{{ region }}' --region '{{ region }}' --encrypted --source-image-id '{{ source_ami_image }}' --name 'ubuntu-xenial-16.04-amd64-server-encrypted'
+  environment:
+    AWS_ACCESS_KEY_ID: "{{ aws_access_key }}"
+    AWS_SECRET_ACCESS_KEY: "{{ aws_secret_key }}"
+  register: ec2_ami_copy
+
+- set_fact:
+    ami_image_ouput: "{{ ec2_ami_copy.stdout|from_json }}"
+
+- set_fact:
+    ami_encrypted_image: "{{ ami_image_ouput['ImageId'] }}"
+
+- name: Add tags to the encrypted image
+  ec2_tag:
+    aws_access_key: "{{ aws_access_key }}"
+    aws_secret_key: "{{ aws_secret_key }}"
+    region: "{{ region }}"
+    resource: "{{ ami_encrypted_image }}"
+    state: present
+    tags:
+      Name: "ubuntu-xenial-16.04-amd64-server-encrypted"
+      Encrypted: "true"
+
+- name: Confirm the encrypted image
+  ec2_ami_find:
+    aws_access_key: "{{ aws_access_key }}"
+    aws_secret_key: "{{ aws_secret_key }}"
+    ami_id: "{{ ami_encrypted_image }}"
+    region: "{{ region }}"
+    owner: self
+    state: available
+  register: ec2_ami_find_encrypted
+  until: ec2_ami_find_encrypted.results|length > 0
+  retries: 60
+  delay: 10
diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml
index 343470b..6c49a98 100644
--- a/roles/cloud-ec2/tasks/main.yml
+++ b/roles/cloud-ec2/tasks/main.yml
@@ -1,7 +1,7 @@
 - name: Locate official Ubuntu 16.04 AMI for region
   ec2_ami_find:
-    aws_access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'))}}"
-    aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'))}}"
+    aws_access_key: "{{ aws_access_key }}"
+    aws_secret_key: "{{ aws_secret_key }}"
     name: "ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"
     owner:  099720109477
     sort: creationDate
@@ -10,8 +10,8 @@
     region: "{{ region }}"
   register: ami_search
 
-- set_fact:
-    ami_image: "{{ ami_search.results[0].ami_id }}"
+- include: encrypt_image.yml
+  when: ami_encrypted_tag is not defined or (ami_encrypted_tag is defined and ami_encrypted_tag != "true1")
 
 - name: Add ssh public key
   ec2_key: