In most scenarios, the production data that you use ECS instance workloads to process contains your business secrets, privacy information, or critical credentials. Therefore, you must protect these workloads against information leak. KMS supports one-click encryption for ECS instance workloads to protect transient and persistent data generated in a computing environment. This meets your requirements for data confidentiality, privacy, and compliance. KMS helps you build a secure cloud computing environment at low costs.

Background information

Customers have data security requirements on business secrets and personal privacy. These types of data are essential to enterprises and are subject to regulatory compliance. For example, General Data Protection Regulation (GDPR) requires enterprises to protect personal privacy data. The data is stored in databases. Before you store the data of an application system in databases, you must encrypt the data to reduce the risk of data breach caused by attacks such as credential stuffing.

To ensure the security and compliance of encryption, you can use KMS or Data Encryption Service to encrypt business data of an application system. For more information about how to encrypt your business data at the application layer, see Use envelope encryption to encrypt and decrypt local data.

If you have encrypted your business data, the workloads used to encrypt and decrypt data are a weak link in your system. Take note of the following points, which may cause security risks:

  • Your applications deployed in an ECS instance contain the key credentials that are used to access KMS, HSMs, microservices, or subsystems.
  • The system disks of your ECS instances may generate some temporary files, including sensitive data involved in network transmission and local data processing.
  • Disk backup based on automatic snapshot is enabled for disks of your ECS instances to store a large volume of sensitive data.
Note When you deploy business systems, you may encounter additional issues. For example, with the application deployment and lifecycle change mechanisms in DevOps mode, O&M and security engineers are unaware of whether new sensitive data types are generated for workloads. They cannot determine whether to introduce new business logic to process sensitive data.

Benefits

Alibaba Cloud ECS instances use KMS to protect the resources that workloads involve. The resources include system disks and data disks of ECS instances and relevant images and snapshots.

You can authorize ECS instances to use CMKs in KMS to encrypt the resources with one click. This protects known, potential, transient, and persistent sensitive data against unauthorized download. In case of emergencies, you can disable KMS-based decryption on an ECS instance by revoking authorization or disabling CMKs.

Note For O&M and security engineers, it is a simple and efficient security solution to encrypt resources that ECS instance workloads involve in DevOps mode.

Encrypt a system disk

A system disk contains the operating system and application software required for business operations. It is always packaged as an image.

After you create a custom image that can run in a production environment and use the custom image as a baseline, you can copy and encrypt the image. This way, an encrypted system disk is created.

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Images.
  3. In the top navigation bar, select a region.
  4. On the Images page, click the Custom Images tab.
  5. Find your image and click Copy Image in the Actions column.
    Note If the size of your custom image is greater than 500 GiB, you are prompted to submit a ticket to complete the operation when you click Copy Image.
  6. In the Copy Image dialog box, select Encrypt and then select a key from the drop-down list.
    Alibaba Cloud uses the service managed key (Default Service CMK) by default. You can also specify the BYOK-based CMK that you created in KMS for encryption. We recommend that you use a BYOK-based CMK for encryption.
    Note If this is the first time that you select a different custom encryption key, click Confirm Authorization and select AliyunECSDiskEncryptDefaultRole to allow ECS to access your KMS resources. This procedure describes only how to configure the encryption setting when you copy a custom image. For more information about other configurations, see Copy custom images.
    Copy Image dialog box in the ECS console
  7. Click OK.

Encrypt a data disk

You can encrypt a data disk when you create an instance or create the disk.

Encrypt a data disk when you create an instance

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the upper-right corner of the Instances page, click Create Instance.
  4. In the Storage section of the Basic Configurations step, perform the following operations:
    Note This procedure describes only how to configure the encryption setting when you create an instance. For more information about other configurations, see Create an instance by using the provided wizard.
    1. Click Add Disk.
    2. Specify the disk category and capacity of the data disk.
    3. Select Disk Encryption and then select a key from the drop-down list.
      Alibaba Cloud uses the service managed key (Default Service CMK) by default. You can also specify the BYOK-based CMK that you created in KMS for encryption. We recommend that you use a BYOK-based CMK for encryption.
      Note If this is the first time that you select a different custom encryption key, click Confirm Authorization and select AliyunECSDiskEncryptDefaultRole to allow ECS to access your KMS resources.
      Encrypt a data disk when you create an instance

Encrypt a data disk when you create the disk

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Storage & Snapshots > Disks.
  3. In the upper-right corner of the Disks page, click Create Disk.
  4. Specify the disk category and capacity.
    Note This procedure describes only how to configure the encryption setting when you create a disk. For more information about other configurations, see Create a pay-as-you-go disk.
  5. In the Disk section of the Disk page, select Disk Encryption and select a key from the drop-down list.
    Alibaba Cloud uses the service managed key (Default Service CMK) by default. You can also specify the BYOK-based CMK that you created in KMS for encryption. We recommend that you use a BYOK-based CMK for encryption.
    Note If this is the first time that you select a different custom encryption key, click Confirm Authorization and select AliyunECSDiskEncryptDefaultRole to allow ECS to access your KMS resources.
    Create a pay-as-you-go data disk