This topic describes how to encrypt a data disk. After a data disk is encrypted, both data in transit and data at rest on the disk are encrypted. You can follow the instructions described in this topic to encrypt data disks to meet security and compliance requirements.
Background information
You can use one of the following methods to encrypt data disks:
Create an Elastic Compute Service (ECS) instance from an encrypted custom image that contains data of data disks. The data disks of the instance are encrypted. For more information, see the Encrypt a data disk when you create an ECS instance section in this topic.
When you create an instance, click Add Disk to add data disks and select Disk Encryption and a key for each data disk. For more information, see Encrypt a data disk when you create an instance.
When you create an independent disk, select Disk Encryption and a key for the disk. For more information, see the Encrypt a data disk when you create the disk section in this topic.
When you encrypt data disks, you must use keys in Key Management Service (KMS). For more information, see Encryption overview.
Requirements
If you select Create from Snapshot to create a data disk, you can select Disk Encryption to encrypt the disk only when the requirements described in the following table are met.
Item | Requirement |
Instance family | The instance family of the associated instance is not ecs.ebmg5, ecs.ebmgn5t, ecs.ebmi3, ecs.sccg5, ecs.scch5, ecs.ebmc4, or ecs.ebmhfg5. For more information, see Overview of instance families. |
Disk category | The disk is an enhanced SSD (ESSD). |
Procedure
Encrypt a data disk when you create an ECS instance
This section describes only how to configure the disk encryption settings when you create an instance. For information about other configurations of the instance, see Create an instance by using the wizard.
On the Instances page, click Create Instance.
In the Basic Configurations step, find the Storage section and perform the following steps:
Click Add Disk.
Specify the category and capacity of the disk.
Select Disk Encryption and select a key from the drop-down list.
By default, Alibaba Cloud uses the Default Service CMK as the encryption key when you select Disk Encryption for a disk. You can also specify a custom customer master key (CMK) that you created in KMS as the encryption key of the disk. We recommend that you use a custom CMK as the encryption key. For information about how to create a CMK, see Create a CMK.
NoteThe first time you select an encryption key, click Go to Authorize and follow on-screen instructions to attach the
AliyunECSDiskEncryptDefaultRole
role to allow ECS to access your KMS resources.Currently, custom CMKs cannot be selected as encryption keys in the China (Nanjing - Local Region), China (Fuzhou-Local Region), Thailand (Bangkok), or South Korea (Seoul) region.
Encrypt a data disk when you create the disk
This section describes only how to configure the disk encryption settings when you create a disk. For information about other configurations of the disk, see Create a disk.
In the upper-left corner of the Disks page, click Create Disk.
In the Storage section, specify the category and capacity of the disk.
Select Disk Encryption and select a key from the drop-down list.
By default, Alibaba Cloud uses the Default Service CMK as the encryption key when you select Disk Encryption for a disk. You can also specify a custom customer master key (CMK) that you created in KMS as the encryption key of the disk. We recommend that you use a custom CMK as the encryption key. For information about how to create a CMK, see Create a CMK.
NoteThe first time you select an encryption key, click Go to Authorize and follow on-screen instructions to attach the
AliyunECSDiskEncryptDefaultRole
role to allow ECS to access your KMS resources.Currently, custom CMKs cannot be selected as encryption keys in the China (Nanjing - Local Region), China (Fuzhou-Local Region), Thailand (Bangkok), or South Korea (Seoul) region.