When you copy a custom image, you can choose to encrypt the image copy. System disks and data disks created from the encrypted image copy are automatically encrypted. The encryption keys of the system disks and data disks are identical to the encryption key of the image copy. Encryption keys can be customer master keys (CMKs) that are created by Key Management Service (KMS) or custom keys that you import (BYOKs).

Background information

The only way to have encrypted system disks is to create system disks from encrypted custom images. The only way to have encrypted images is to copy custom images and encrypt image copies. The following figure shows the procedure to have encrypted system disks. For more information, see Encryption overview. Encryption

Copy a custom image and encrypt the image copy in the ECS console

This section describes how to copy an existing custom image and encrypt the image copy in the Elastic Compute Service (ECS) console. You can create an encrypted system disk from the encrypted image copy. If no custom image exists, create a custom image. For more information, see Create a custom image from a snapshot and Create a custom image from an instance.

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Images.
  3. In the top navigation bar, select a region.
  4. On the Images page, click the Custom Image tab.
  5. Find the custom image that you want to copy and click Copy Image in the Actions.
    Note If the size of the custom image is larger than 500 GiB, follow on-screen tips to submit a ticket after you click Copy Image.
  6. In the Copy Image dialog box, select Encrypt and then select a key from the drop-down list.
    Copy Image

    By default, Alibaba Cloud uses the Default Service CMK managed service key when you select Encrypt. You can also specify a CMK that you created in KMS (BYOK) as the encryption key of the image copy. We recommend that you use a custom CMK (BYOK) as the encryption key. For information about how to create a custom CMK, see Create a CMK.

    Note The first time that you select Encrypt, click Go to Authorize and select AliyunECSDiskEncryptDefaultRole to allow ECS to access your KMS resources. This step describes how to configure the encryption setting when you copy a custom image. For more information about other configurations, see Copy custom images.
  7. Click OK.
    After the image copy is encrypted, a tag is automatically added to the KMS key used to encrypt the image copy. The key of the tag is acs:ecs:disk-encryption, and the value of the tag is true. You can log on to the KMS console and click the key ID to view the tag of the key.

Copy a custom image and encrypt the image copy by calling the CopyImage operation

In the following example, Alibaba Cloud CLI is used to call the CopyImage operation and specify KMSKeyId to copy a custom image and encrypt the image copy. You can create an encrypted system disk from the encrypted image copy. 

aliyun ecs CopyImage --RegionId cn-hongkong \
--ImageId m-bp155shrycg3s0****** --DestinationRegionId cn-shenzhen \
--Encrypted true --KMSKeyId e522b26d-abf6-4e0d-b5da-04b7******3c \
--Tag.N.Key EcsDocumentation

Change the encryption state

After a custom image is copied, the encryption state of the system disks created from the image copy is determined by whether a new CMK is selected during the image copy process.
  • If you do not select a CMK when you copy an unencrypted custom image, the system disks created from the image copy are unencrypted. Copy an unencrypted custom image to create an unencrypted custom image
  • If you select a CMK when you copy an unencrypted custom image, the image copy is encrypted. To access instances created from the image copy, you must use this CMK. Copy an unencrypted custom image to create an encrypted custom image
  • If you do not select a CMK when you copy an encrypted image, the image copy is encrypted by using the same encryption key as the original image. To access instances created from the image copy, you must use the encryption key of the original image. Copy an encrypted custom image to create an encrypted custom image but do not change the encryption key
  • If you select a new CMK when you copy an encrypted image, the image copy is encrypted by using the new CMK. To access instances created from the image copy, you must use the new CMK. Copy an encrypted custom image to create an encrypted custom image and change the encryption key

What to do next

You can use the image copy to create an instance or replace a system disk: