When you copy an image, you can choose to encrypt the custom image. The system disk and data disks (if any) that are created from the custom image are automatically encrypted. The encryption key of the system disk and data disks is the same as that of the custom image. You can use the customer master key (CMK) that is automatically created in Key Management Service (KMS) or a custom key that you import (BYOK) as the encryption key.
Encrypt a system disk when copying an image in the ECS console
- Log on to the ECS console.
- In the left-side navigation pane, choose .
- In the top navigation bar, select a region.
- On the Images page, click the Custom Image tab.
- Select the target image and click Copy Image in the Actions column.
Note If the size of your custom image is greater than 500 GiB, you are prompted to submit a ticket to complete the operation when you click Copy Image.
- In the Copy Image dialog box, select Encrypt and then select a key from the drop-down list.
When Encrypt is selected, Alibaba Cloud uses the managed service key Default Service CMK by default. You can also specify a CMK that you created in KMS as the encryption key. We recommend that you use a custom key as the encryption key.Note If this is the first time that you select Encrypt, click Go to Authorize and select AliyunECSDiskEncryptDefaultRole to allow ECS to access your KMS resources. This procedure describes only how to configure the encryption setting when you copy a custom image. For more information about other configurations, see Copy custom images.
- Click OK.
After the encryption is complete, the KMS key that is used to encrypt the disk is automatically assigned with a fixed tag. The key of the tag is
acs:ecs:disk-encryption, and the value of the tag is
true. You can view the tag of the KMS key in the KMS console.
Encrypt a system disk by calling the CopyImage operation
The following example uses Alibaba Cloud CLI to call the CopyImage operation to specify KMSKeyId to encrypt the system disk.
aliyun ecs CopyImage --RegionId cn-hongkong --ImageId m-bp155shrycg3s0****** --DestinationRegionId cn-shenzhen --Encrypted true --KmsKeyId e522b26d-abf6-4e0d-b5da-04b7******3c --Tag.N.Key EcsDocumentation
Convert the encryption state
- If you do not select a CMK when copying an unencrypted image, the system disk that is created from the new image is unencrypted.
- If you select a CMK when copying an unencrypted image, the new image is encrypted. You must use this key to access instances that are created from the new image.
- If you do not select a CMK when copying an encrypted image, the new image is encrypted with the encryption key of the original image. You can use this key to access instances created from the new image.
- If you select a new CMK when copying an encrypted image, the new image is encrypted with the new CMK. You must use this key to access instances that are created from the new image.