This topic describes how to encrypt a data disk. After you enable encryption on a data disk, both data in transit and data at rest on the disk is encrypted.

Background information

In this topic, data disks in Shared Block Storage and cloud disks are collectively called disks.

Encrypt a data disk when creating an instance

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. On the Instances page, click Create Instance.
  4. On the Basic Configurations page, find the Storage section and perform the following steps.
    Note This procedure describes only how to configure the encryption setting during instance creation. For more information about other configurations, see Create an instance by using the provided wizard.
    1. Click Add Disk.
    2. Specify the disk category and capacity of the data disk.
    3. Select Disk Encryption and then select a key from the drop-down list.
      Encrypt a data disk when creating an instance
      After the encryption is complete, the KMS key that is used to encrypt the disk is automatically assigned with a fixed tag. The key of the tag is acs:ecs:disk-encryption, and the value of the tag is true. You can view the tag of the KMS key in the KMS console.

Encrypt a data disk when creating the disk

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Storage & Snapshots > Disks.
  3. In the upper-right corner of the Disks page, click Create Disk.
  4. Select the region and zone of the instance to which you want to attach the disk.
  5. In the Disk section, select Disk Encryption and then select a key from the drop-down list.
    Note This procedure describes only how to configure the encryption setting during disk creation. For more information about other configurations, see Create a pay-as-you-go disk or Create a subscription disk.
    Create a pay-as-you-go data disk
    After the encryption is complete, the KMS key that is used to encrypt the disk is automatically assigned with a fixed tag. The key of the tag is acs:ecs:disk-encryption, and the value of the tag is true. You can view the tag of the KMS key in the KMS console.

Convert the encryption state

After a data disk is created, you cannot convert the encryption state of the data disk. The following table describes the operations to convert the encryption state.
State conversion Method Windows Server Linux
From unencrypted to encrypted
  1. Log on to the operating system of the ECS instance.
  2. Manually copy data on the unencrypted disk to a new encrypted disk.
Run the robocopy command in Command Prompt. Run the shell command rsync.
From encrypted to unencrypted
  1. Log on to the operating system of the ECS instance.
  2. Manually copy data on the encrypted disk to a new unencrypted disk.