When you copy an image, you can choose to encrypt the custom image. The system disk and data disks (if any) that are created from the custom image are automatically encrypted. The encryption key of the system disk and data disks is the same as that of the custom image. You can use the customer master key (CMK) that is automatically created in Key Management Service (KMS) or a custom key that you import (BYOK) as the encryption key.

Background information

You can encrypt a system disk only by copying a custom image. For more information, see Encryption overview.

Encrypt a system disk when copying an image in the ECS console

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Images.
  3. In the top navigation bar, select a region.
  4. On the Images page, click the Custom Image tab.
  5. Select the target image and click Copy Image in the Actions column.
    Note If the size of your custom image is greater than 500 GiB, you are prompted to submit a ticket to complete the operation when you click Copy Image.
  6. In the Copy Image dialog box, select Encrypt and then select a key from the drop-down list.
    When Encrypt is selected, Alibaba Cloud uses the managed service key Default Service CMK by default. You can also specify a CMK that you created in KMS as the encryption key. We recommend that you use a custom key as the encryption key.
    Note If this is the first time that you select Encrypt, click Go to Authorize and select AliyunECSDiskEncryptDefaultRole to allow ECS to access your KMS resources. This procedure describes only how to configure the encryption setting when you copy a custom image. For more information about other configurations, see Copy custom images.
    Copy Image dialog box in the ECS console
  7. Click OK.
    After the encryption is complete, the KMS key that is used to encrypt the disk is automatically assigned with a fixed tag. The key of the tag is acs:ecs:disk-encryption, and the value of the tag is true. You can view the tag of the KMS key in the KMS console.

Encrypt a system disk by calling the CopyImage operation

The following example uses Alibaba Cloud CLI to call the CopyImage operation to specify KMSKeyId to encrypt the system disk. 

aliyun ecs CopyImage --RegionId cn-hongkong --ImageId m-bp155shrycg3s0****** --DestinationRegionId cn-shenzhen --Encrypted true --KmsKeyId e522b26d-abf6-4e0d-b5da-04b7******3c --Tag.N.Key EcsDocumentation

Convert the encryption state

To determine the encryption state of the system disk and whether you need to change or select a new CMK, refer to the following points:
  • If you do not select a CMK when copying an unencrypted image, the system disk that is created from the new image is unencrypted.Copy an unencrypted custom image as an unencrypted custom image
  • If you select a CMK when copying an unencrypted image, the new image is encrypted. You must use this key to access instances that are created from the new image.Copy an unencrypted custom image as an encrypted custom image
  • If you do not select a CMK when copying an encrypted image, the new image is encrypted with the encryption key of the original image. You can use this key to access instances created from the new image.Copy an encrypted custom image as an encrypted custom image but do not change the key
  • If you select a new CMK when copying an encrypted image, the new image is encrypted with the new CMK. You must use this key to access instances that are created from the new image.Copy an encrypted custom image as an encrypted custom image and change the key

What to do next

You can use the copied image to create an instance or change the system disk: