Encrypted cross-zone replication for cross-zone replicated block storage devices

What is claimed is: 1. A system to provide redundancy in a virtualized storage device replicated across at least a first and second zone of a plurality of zones, wherein the plurality of zones are in communication via a communication network but are electrically and physically isolated from one another, and wherein the virtualized storage device comprises a first volume in the first zone and a second volume in the second zone, the system comprising: a first computing system associated with the first zone, the first computing system including at least a first computing device and a second computing device that collectively implement the first volume, wherein data written to the first volume is encrypted using a first encryption key; a second computing system associated with the second zone, the second computing system including at least a first computing device and a second computing device that collectively implement the second volume, wherein data written to the second volume is encrypted using a second encryption key; and one or more computing devices implementing an encryption service configured to: obtain data written to the first volume encrypted using a first encryption key and submitted from the first volume for replication to the second volume; using the first encryption key, decrypt the data to result in decrypted data; using the second encryption key, encrypt the decrypted data to result in reencrypted data; transmit the reencrypted data to the second volume; obtain an acknowledgement from the second volume of receipt of the reencrypted data, the acknowledgement from the second volume indicating writing of the data to the second volume; and subsequent to the acknowledgement from the second volume of receipt of the reencrypted data, transmit an acknowledgement to the first volume of receipt of the data at the encryption service, the acknowledgement to the first volume from the encryption service indicating writing of the data to the second volume; wherein the first volume is configured to transmit an acknowledgement to a client device of writing of the data to the first volume only after receiving acknowledgement of receipt of the data at the encryption service, wherein the acknowledgement to the client device indicates writing of the data, as encrypted using the first encryption key, to the first volume and writing of the reencrypted data, encrypted using the second encryption key, to the second volume. 2. The system of claim 1 , wherein the virtualized storage device represents a block storage device of a virtual machine instance. 3. The system of claim 1 , wherein the one or more computing devices implementing the encryption service are configured to store the decrypted data only in transient memory. 4. The system of claim 1 , wherein the first and second encryption keys are provided to the first and second volumes by a key management service, and wherein the one or more computing devices implementing the encryption service are configured to obtain the first and second encrypted keys from the key management service after authenticating with the key management service. 5. The system of claim 1 , wherein the one or more computing devices implementing the encryption service are configured to be inaccessible to client devices. 6. The system of claim 1 , wherein the one or more computing devices implementing the encryption service and the second volume utilize intercompatible application programming interfaces, and wherein the one or more computing devices implementing the encryption service obtain the data written to the first volume by presenting to the first volume as a secondary volume. 7. A computer-implemented method to provide redundancy in a virtualized storage device replicated across at least a first and second zone of a plurality of zones, wherein the plurality of zones are in communication via a communication network but are isolated from one another, and wherein the virtualized storage device comprises a first volume in the first zone and storing data encrypted according to a first encryption key and a second volume in the second zone and storing data encrypted according to a second encryption key, the computer-implemented method comprising: obtaining from a client device a write of data to the first volume and encrypted using a first encryption key; prior to acknowledging the write to the client device: using the first encryption key, decrypting the data to result in decrypted data; using the second encryption key, encrypting the decrypted data to result in reencrypted data; transmitting the reencrypted data to the second volume; and obtaining an acknowledgement from the second volume of receipt of the reencrypted data, the acknowledgement from the second volume indicating writing of the reencrypted data to the second volume; and subsequent to the acknowledgement from the second volume of receipt of the reencrypted data, transmitting an acknowledgement of the write to the client device, wherein the acknowledgement of the write to the client device indicates writing of the data, as encrypted using the first encryption key, to the first volume and writing of the reencrypted data, encrypted using the second encryption key, to the second volume. 8. The computer-implemented method of claim 7 , wherein the first volume is designated by as a primary volume for the virtualized storage device, the primary volume having authority to accept writes to the virtualized storage device and responsibility for replicating writes to the second volume. 9. The computer-implemented method of claim 7 further comprising assigning to the write of data a write sequence number and transmitting the write sequence number to the second volume. 10. The computer-implemented method of claim 7 further comprising storing the decrypted data only in transient memory. 11. The computer-implemented method of claim 7 , wherein obtaining an acknowledgement from the second volume of receipt of the reencrypted data comprises obtaining an acknowledgement that at least two devices implementing the second volume have replicated the reencrypted data. 12. The computer-implemented method of claim 7 further comprising storing the data to the first volume prior to acknowledging write to the client device. 13. The computer-implemented method of claim 7 , wherein storing the data to the first volume comprises generating a log entry within a write journal, and wherein the method further comprises persisting the data to a data store. 14. The computer-implemented method of claim 13 , wherein persisting the data to the data store comprises storing the data at the data store in an erasure coded form. 15. A system to provide redundancy in a virtualized storage device replicated across at least a first and second zone of a plurality of zones, wherein the plurality of zones are in communication via a communication network but are isolated from one another, and wherein the virtualized storage device comprises a first volume in the first zone and associated with a first encryption key and a second volume in the second zone and associated with a second encryption key, the system comprising: a data store including computer-executable instructions; and one or more processors configured to execute the computer-executable instructions to: obtain data written by a client device to the first volume and encrypted using the first encryption key; using the first encryption key, decrypt the data to result in decrypted data; using the second encryption key, encrypt the decrypted data to result in reencrypted data; transmit the reencrypted data to the s