This topic introduces the basic concepts of encryption. Encryption can help you secure your data stored in Alibaba Cloud ECS and comply with security standards. You can protect the privacy, autonomy, and security of data without the need to build or maintain key management infrastructure. Both system disks and data disks can be encrypted.

Features

Alibaba Cloud ECS uses the industry-standard AES-256 algorithm to encrypt disks. Keys contain service keys and customer-created keys. You can obtain customer-created keys by using the Bring Your Own Key (BYOK) feature. Encryption and decryption have minimal impacts on ECS instance performance.

  • Data in the operating system of an ECS instance is automatically encrypted when you create the ECS instance by using an encrypted system disk or image. The data is automatically decrypted when it is read. For more information about the procedure, see Encrypt a system disk.
  • The following types of data are automatically encrypted when you create an encrypted data disk and attach it to an ECS instance. The data is automatically decrypted when it is read. For more information about the procedure, see Encrypt a data disk.
    • Static data stored on the encrypted disk.
    • Data transmitted between the encrypted disk and the instance. Data in the operating system is not encrypted again.
    • Data transmitted from the instance to a backend storage cluster.
    • All snapshots created from the encrypted disk. These snapshots have the same encryption key as the disk.
    • All disks created from the encrypted snapshots.

Keys

By default, the disk encryption feature of ECS uses a service key to encrypt your data. This feature also supports user-managed keys. Each disk is provided with a customer master key (CMK) and a data key (DK) by Key Management Service (KMS) and uses the envelope encryption mechanism to encrypt your data. In the envelope encryption mechanism, CMKs are protected by the key management infrastructure available with KMS. This can implement strong logical and physical security protection on CMKs. An Alibaba Cloud service must be authorized to use a CMK to generate the DK to encrypt business data or decrypt the ciphertext of the DK to decrypt business data. The plaintext of the DK never leaves the memory of the host where your ECS instance resides. The DK is not stored in plaintext in any persistent storage medium.

The following table describes the types of CMKs that you can use to encrypt disks.
Type Description Source Scenario
Service key, the first key in the following figure The dedicated CMK that is automatically created by KMS for ECS in a region when you activate KMS and use encryption for the first time within the region. The alias of the CMK is acs/ecs. Service keys cannot be deleted or disabled. The default service CMK provided by KMS. You can use service keys to make procedures more efficient and convenient. For more information, see What is KMS?
Customer-created key, the second key in the following figure The encryption keys that you create. You have full permissions to create, rotate, and disable these keys, and define access control over them.
  • Source 1: The key that is created in KMS.
  • Source 2: The key that is created in KMS from key materials imported by using the BYOK feature.
You can use customer-created keys to make operations more flexible and increase the number of keys.
Difference between a service key and a customer-created key

Billing

The following table describes the billing information of encryption features and operations. Make sure that your account balance is sufficient. Otherwise, operations that incur costs may fail.

Operation Billing
Encrypt system disks and data disks No
Use service keys that are provided by KMS No
Create CMKs in KMS or from key materials imported by using the BYOK feature Yes
Perform read and write operations on disks, such as mounting (mount) and unmounting (umount) partitions, creating partitions, and formatting file systems No

Limits

  • You can encrypt data disks of the following categories: enhanced SSDs (ESSDs), standard SSDs, ultra disks, and basic disks.
  • You can encrypt system disks of the following categories: ESSDs, standard SSDs, and ultra disks.
  • You cannot encrypt local disks.
  • You can encrypt system disks only when you are copying their custom images. You cannot perform the following operations on encrypted system disks:
    • Convert encrypted images to unencrypted images.
    • Copy encrypted images across regions.
    • Share encrypted images.
    • Export encrypted images.
  • You cannot directly convert unencrypted disks to encrypted disks.
  • You cannot directly convert encrypted disks to unencrypted disks.