This topic describes how to configure disk encryption for an ApsaraDB for ClickHouse cluster that uses enhanced SSDs (ESSDs) or ultra disks. The disk encryption feature encrypts the data on the disks of your ApsaraDB for ClickHouse cluster based on block storage. This way, the backup data cannot be decrypted even if it is leaked. This ensures data security.


After an encrypted disk is created and attached to an Elastic Compute Service (ECS) instance, the system encrypts the following data:
  • The static data that is stored on the disk.
  • The data that is transmitted between the disk and the ECS instance. Data on the system disk is not encrypted.
  • All snapshots that are created on the encrypted disk. These snapshots are classified as encrypted snapshots.


  • You can enable disk encryption only when you create an ApsaraDB for ClickHouse cluster.
  • Disk encryption cannot be disabled after it is enabled.
  • After you enable disk encryption for a cluster, the snapshots created for the cluster are automatically encrypted. If you create clusters that use disks based on encrypted snapshots, disk encryption is also enabled for these clusters.
  • Disk encryption does not interrupt your business, and you do not need to modify your application.
  • When you use disk encryption, performance is not degraded.


The disk encryption feature of ApsaraDB for ClickHouse is free of charge. You are not charged for read and write operations on your encrypted disks.

For information about the charges for Key Management Service (KMS), see Billing. This includes the charges for key hosting and API operation calls.

Enable disk encryption

When you create a cluster, perform the following steps to enable disk encryption. For information about how to create a cluster, see Create a cluster.
  1. Set Storage Type to Enhanced SSD or Ultra Cloud Disk.
  2. Set Encryption Type to Disk Encryption.
  3. Select a key that is used to encrypt disks. If no key is available, you must activate KMS and create a key.
    • When you use the disk encryption feature of ApsaraDB for ClickHouse, only a manually created key can be used. When you create a key in the KMS console, you must set Rotation Period to Disable. For more information about how to create a key, see Create a CMK.

    • If you authorize the user that you are using to access KMS, ActionTrail records your operations. For more information, see Use ActionTrail to query KMS event logs.
  4. Click Buy Now to create the cluster for which disk encryption is enabled.

View a key

  1. Log on to the ApsaraDB for ClickHouse console.
  2. On the Clusters page, find the cluster that you want to view and click the cluster ID.
  3. On the Cluster Information page, view the key information in the Cluster Properties section. View a key