When you copy an image, you can choose to encrypt the custom image. The system disk and data disks (if any) that are created from the custom image are automatically encrypted. The encryption key of the system disk and data disks is the same as that of the custom image. You can use the customer master key (CMK) that is automatically created in Key Management Service (KMS) or a custom key that you import (BYOK) as the encryption key.
Background information
Encrypt a system disk when copying an image in the ECS console
Encrypt a system disk by calling the CopyImage operation
The following example uses Alibaba Cloud CLI to call the CopyImage operation to specify KMSKeyId to encrypt the system disk.
aliyun ecs CopyImage --RegionId cn-hongkong --ImageId m-bp155shrycg3s0****** --DestinationRegionId cn-shenzhen --Encrypted true --KmsKeyId e522b26d-abf6-4e0d-b5da-04b7******3c --Tag.N.Key EcsDocumentation
Convert the encryption state
- If you do not select a CMK when copying an unencrypted image, the system disk that
is created from the new image is unencrypted.
- If you select a CMK when copying an unencrypted image, the new image is encrypted.
You must use this key to access instances that are created from the new image.
- If you do not select a CMK when copying an encrypted image, the new image is encrypted
with the encryption key of the original image. You can use this key to access instances
created from the new image.
- If you select a new CMK when copying an encrypted image, the new image is encrypted
with the new CMK. You must use this key to access instances that are created from
the new image.