ApsaraDB for HBase provides the disk encryption feature free of charge. This feature encrypts the data on each data disk of your instance based on block storage. This way, your data cannot be decrypted even if the data backups are leaked. This secures your data.

Feature description

Encrypted disks are suitable for scenarios that require data security or regulatory compliance. The disk encryption feature encrypts and protects the data that is stored on the disks of your ApsaraDB for HBase instances. You do not need to build or maintain your key management infrastructure to ensure the privacy, autonomy, and security of your data.

When you create an ApsaraDB for HBase performance-enhanced Edition instance, you can select CloudDisk for the Encryption Type field to enable disk encryption. If disk encryption is enabled, the system encrypts the following types of data in the instance:

  • The static data that is stored on the disks of the instance.
  • The data that is transmitted between the disks and the instance.
  • All the snapshots of the encrypted disks. These snapshots are classified as encrypted snapshots.


ApsaraDB for HBase uses the keys provided by Key Management Service (KMS) to encrypt disks.

Note ApsaraDB for HBase does not charge you for disk encryption. However, you are charged for KMS key management and KMS API calls. For more information about the pricing of KMS, see Billing.


  • Disk encryption does not affect your business workloads. You do not need to modify the code of your applications.
  • Disk encryption does not compromise the performance of your ApsaraDB for HBase instance.


  • You can enable the disk encryption feature for an ApsaraDB for HBase instance only when you purchase the instance. After the instance is created, you cannot enable disk encryption.
  • Disk encryption cannot be disabled after it is enabled.
  • After you enable disk encryption for an instance, disk encryption is also enabled for the snapshots that are generated by the instance and the instances that use the disks that are created from these snapshots.
  • Only instances of ApsaraDB for HBase Performance-enhanced Edition supports the disk encryption feature.

Enable disk encryption

  1. Log on to the ApsaraDB for HBase console.
  2. On the Clusters page, click Create HBase Cluster.
  3. Configure the parameters to enable the disk encryption feature.
    Create an instance and enable the disk encryption feature
    Parameter Description
    Service Select HBaseUE(Lindorm).
    Core Node Disk Type Select Standard SSD or Ultra Disk based on your business requirements.
    Encryption Type Select CloudDisk.
    Service-linked Role To use the disk encryption feature for an instance, you must assign the service-linked role to ApsaraDB for HBase. If Created is displayed, the service-linked role is assigned to ApsaraDB for HBase. Otherwise click Create Service-linked Role to create the role.

    For more information about the service-linked role, see AliyunServiceRoleForHBaseEncryption.

    Encryption Key Select a key. If you do not have a KMS key in the current region, you can create a key in the KMS console.
    • The disk encryption feature of ApsaraDB for HBase supports only the keys that are manually created. When you create a key in the KMS console, you must set Rotation Period to Disable. For more information about how to create a key, see Create a CMK.
    • When you authorize ApsaraDB for HBase to access KMS, ActionTrail records this action. For more information, see Use ActionTrail to query KMS event logs.
    Note For more information about the parameters on the ApsaraDB for HBase buy page, see Purchase a cluster.
  4. Click Buy Now to create an ApsaraDB for HBase instance that uses encrypted disks.
  5. After the instance is created, on the Basic Information page of the instance, you can view the encryption type and the encryption key in the Core Node Information section.