All Products
Search
Document Center

Elastic Compute Service:Overview

Last Updated:Nov 23, 2023

When you add system or data disks during Elastic Compute Service (ECS) instance creation or create independent data disks, you can select the Encryption option to encrypt the disks. After the ECS instances are created, data in the instance operating systems is automatically encrypted on the hosts (ECS instance hosts) on which the added disks reside. Disk encryption allows you to protect the privacy, autonomy, and security of data without the need to establish or maintain key management infrastructure.

Note

Local disks cannot be encrypted.

Introduction

Disks are encrypted by using the industry-standard AES-256 encryption algorithm and Key Management Service (KMS). After you enable the disk encryption feature, data is automatically encrypted when the data is transmitted from ECS instance to disks and is automatically decrypted when the data is read from disks. The encryption and decryption take place on the hosts on which the ECS instances reside and have minimal impacts on ECS instance performance. The performance of disks for which disk encryption is disabled is higher than that of disks for which disk encryption is enabled. How much performance degrades varies based on the upper-layer applications on disks for which disk encryption is enabled.

The following disks can be encrypted:

  • System disks

    After you create ECS instances with encrypted system disks, data in the operating systems of the instances is automatically encrypted. The data is automatically decrypted when it is read.

    The following categories of disks can be encrypted when they are used as system disks:

    • Disks that can be encrypted during ECS instance creation: enhanced SSDs (ESSDs)

    • Disks that can be encrypted when custom images are copied: ESSD AutoPL disks, ESSDs, standard SSDs, ultra disks, and basic disks

  • Data disks

    The following types of data are automatically encrypted when you create an encrypted disk and attach the disk as a data disk to an ECS instance. The data is automatically decrypted when it is read.

    • Data at rest that is stored on the encrypted disk.

    • Data transmitted between the encrypted disk and the ECS instance, excluding data in the instance operating system.

    • Data transmitted from the ECS instance to a backend storage cluster.

    • All snapshots created from the encrypted disk. These snapshots have the same encryption key as the disk.

    • All disks created from the encrypted snapshots.

    The following categories of disks can be encrypted when they are used as data disks:

    • Independent disks: ESSD AutoPL disks, ESSDs, standard SSDs, ultra disks, and basic disks

    • Disks created from snapshots: ESSDs

Encryption keys

By default, the disk encryption feature uses service keys to encrypt your data. You can also create a custom key to encrypt your data. To encrypt data stored on each disk, you must use a customer master key (CMK), a data key (DK), and the envelope encryption mechanism. In the envelope encryption mechanism, CMKs are placed under strong logical and physical security protection by the key management infrastructure provided by KMS. An Alibaba Cloud service must be authorized to use a CMK to generate a DK to encrypt business data or decrypt the ciphertext of the DK to decrypt business data. The plaintext of the DK is only used in the memory of the host where your ECS instance resides. The DK is not stored in plaintext in any persistent storage medium.

The following table describes the types of keys that you can use to encrypt disks.

Type

Description

Sources

Scenario

Service key, key ① shown in the following figure

The dedicated CMK that is created by KMS for ECS in a region when you activate KMS and use disk encryption for the first time in the region. The alias name of service keys is acs/ecs. Service keys cannot be deleted or disabled.

The default service key provided by KMS.

You can use service keys to encrypt disks in a convenient and efficient manner. For more information, see Overview of KMS.

Custom key, key ② shown in the following figure

The encryption keys that you create. You have full permissions to create, rotate, and disable these keys, and define access control over these keys.

  • Source 1: keys that you create in KMS.

  • Source 2: keys that you create in KMS from the key materials that you import by using the Bring Your Own Key (BYOK) feature, known as BYOK keys

You can use custom keys to encrypt disks in a flexible manner and increase the number of keys. For more information, see Overview of KMS.

密钥类型区别

Billing

The following table describes the billing information of features and operations related to encryption. Make sure that your account balance is sufficient. Otherwise, operations that incur costs may fail.

Operation

Billable

Encrypt system disks and data disks.

No.

Use service keys that are provided by KMS.

No.

Create CMKs (including BYOK keys) in KMS.

Yes. For more information, see Billing of KMS.

Perform read and write operations on disks, such as mounting (mount) and unmounting (umount) partitions, creating partitions, and formatting file systems.

No.

Disk management operations include:

Note

If you perform operations on a disk in the ECS console or by calling API operations in a region, the operations consume the KMS API quota within the region.

Yes. For more information, see Billing of KMS.

Use Dedicated KMS

Yes. For more information, see Billing of Dedicated KMS.