All Products
Search
Document Center

Elastic Compute Service:Encrypt a system disk

Last Updated:Oct 25, 2023

You can encrypt system disks when you create Elastic Compute Service (ECS) instances or copy custom images in the ECS console or by calling API operations. After you encrypt system disks, data stored on the disks is encrypted. Encryption keys can be managed service keys (system-created keys) or custom keys that you create in Key Management Service (KMS).

Background information

Methods for encrypting system disks

You can use one of the following methods to encrypt a system disk:

  • Method 1: (Recommended) Encrypt the system disk of an instance when you create the instance

    When you create an instance, select Encryption and select a key in the Storage section to encrypt the system disk. The limits described in the following table apply when you encrypt the system disk of an instance during instance creation.

    Item

    Description

    Instance family

    The instance family of the instance cannot be ecs.ebmg5, ecs.ebmgn5t, ecs.ebmi3, ecs.sccg5, ecs.scch5, ecs.ebmc4, or ecs.ebmhfg5. For more information, see Overview of instance families.

    Disk category

    The system disk must be an enhanced SSD (ESSD).

    Custom key

    Custom keys cannot be selected as encryption keys in the China (Nanjing - Local Region), China (Fuzhou - Local Region), Thailand (Bangkok), or South Korea (Seoul) region.

  • Method 2: Copy a custom image to create encrypted system disks

    When you copy a custom image, select Copy and Encrypt and select a key to encrypt the custom image copy. When you create an instance from the encrypted custom image copy, the system disk and data disks of the instance are automatically encrypted. The following figure shows how to create an encrypted system disk by using the Copy and Encrypt feature. The Copy and Encrypt feature allows you to encrypt the image copy when you copy a custom image.加密

Scenarios for encrypting a system disk

The following table describes the scenarios for encrypting a system disk. The encryption states of system disks vary based on scenarios.

System disk encrypted during instance created

Custom image encrypted

System disk encrypted

No

No

No

Yes (use Key A)

For more information, see the (Recommended) Encrypt the system disk of an instance when you create the instance section of this topic.

No

Yes (use Key A)

No

Yes (use Key B)

For more information, see the Copy a custom image to create encrypted system disks section of this topic.

Yes (use Key B)

Yes (use Key A)

For more information, see the (Recommended) Encrypt the system disk of an instance when you create the instance section of this topic.

Yes (use Key B)

For more information, see the Copy a custom image to create encrypted system disks section of this topic.

Yes (use Key A)

Prerequisites

KMS is activated. For more information, see Activate KMS.

(Recommended) Encrypt the system disk of an instance when you create the instance

You can select Encryption and select a key in the Storage section to encrypt the system disk of an instance when you create the instance.

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Instances & Images > Instances.

  3. In the upper-left corner of the top navigation bar, select a region. 地域

  4. On the Instances page, click Create Instance.

  5. In the Storage section, encrypt the system disk.

    Note

    This step describes only how to configure the disk encryption settings when you create an instance. For information about other configurations of the instance, see Create an instance by using the wizard.

    1. Select Enhanced SSD (ESSD) and specify a capacity for the system disk in the Storage section.

    2. Select Encryption and select a key from the drop-down list.

      image.png

      By default, Alibaba Cloud uses the Default Service CMK as the encryption key when you select Disk Encryption for a disk. You can also specify a custom customer master key (CMK) that you created in KMS as the encryption key of the disk. We recommend that you use a custom CMK as the encryption key. For information about how to create a CMK, see Create a CMK.

      Note
      • The first time you select an encryption key, click Go to Authorize and follow on-screen instructions to attach the AliyunECSDiskEncryptDefaultRole role to allow ECS to access your KMS resources.

      • Currently, custom CMKs cannot be selected as encryption keys in the China (Nanjing - Local Region), China (Fuzhou-Local Region), Thailand (Bangkok), or South Korea (Seoul) region.

Copy a custom image to create encrypted system disks

When you copy a custom image within the same region or across different regions, you can select Copy and Encrypt to encrypt the custom image copy. This way, system disks and data disks (if any) created from the encrypted custom image copy are automatically encrypted.

Encrypt a custom image

You can encrypt a custom image by using the ECS console or by calling the CopyImage operation.

  • Encrypt a custom image when you copy an image in the ECS console

    This section describes how to copy an existing custom image and encrypt the image copy in the ECS console. Then, you can create an encrypted system disk from the encrypted image copy. If no custom images are available, create a custom image. For more information, see Create a custom image from a snapshot and Create a custom image from an instance.

    1. Log on to the ECS console.

    2. In the left-side navigation pane, choose Instances & Images > Images.

    3. In the upper-left corner of the top navigation bar, select a region.

    4. On the Images page, click the Custom Images tab.

    5. Find the custom image that you want to copy and click Copy Image in the Actions column.

    6. In the Copy Image dialog box, set Copy Mode to Copy and Encrypt, select a destination region, and then select an encryption key.复制镜像

      By default, Alibaba Cloud uses a managed service key (Default Service CMK) as the encryption key when you select Copy and Encrypt. You can also specify a custom key that you created in KMS as the encryption key to encrypt the image copy. We recommend that you use a custom key as the encryption key. For information about how to create a key, see Create a CMK.

      Note

      The first time that you select an encryption key, click Go to Authorize and follow on-screen instructions to attach the AliyunECSDiskEncryptDefaultRole role to grant ECS access to your KMS resources. This step describes only how to configure the encryption settings when you copy a custom image. For information about other configurations, see Copy an image.

    7. Click Confirm.

  • Encrypt a custom image by calling the CopyImage operation

    In the following example, Alibaba Cloud CLI is used to call the CopyImage operation and specify the KMSKeyId parameter to copy a custom image and encrypt the image copy. Then, you can create an encrypted system disk from the encrypted image copy.

    aliyun ecs CopyImage --RegionId cn-hongkong \
    --ImageId m-bp155shrycg3s0****** --DestinationRegionId cn-shenzhen \
    --Encrypted true --KMSKeyId e522b26d-abf6-4e0d-b5da-04b7******3c \
    --Tag.N.Key EcsDocumentation

Use an encrypted custom image to create an ECS instance

If you use an encrypted custom image to create an instance, the system disk and data disks of the instance are automatically encrypted. The system disk and data disks use the same encryption key as the custom image. For more information about how to create an ECS instance, see Create an instance by using the wizard.

Encryption state change of a system disk

After you copy a custom image and encrypt the custom image copy, the encryption state of the system disks created from the image copy is determined based on whether a new key is selected during the image copy process. The following section describes how an encryption key affects the encryption state of a system disk:

  • If you do not select a key when you copy an unencrypted custom image, the system disks created from the image copy are unencrypted.非加密的自定义镜像复制为非加密的自定义镜像

  • If you select a key when you copy an unencrypted custom image, the image copy is encrypted. You can use only the key to access instances created from the image copy.非加密的自定义镜像复制为加密的自定义镜像

  • If you do not select a key when you copy an encrypted image, the image copy is encrypted by using the same encryption key as the copied image. You can use only the encryption key of the copied image to access instances created from the image copy.加密的自定义镜像复制到加密的自定义镜像(不更换密钥)

  • If you select a new key when you copy an encrypted image, the image copy is encrypted by using the new key. You can use only the new key to access instances created from the image copy.加密的自定义镜像复制到加密的自定义镜像(更换密钥)

What to do next

You can use the encrypted image copy to create an instance or replace the system disk of an instance by performing the operations that are described in the following topics: