Cloud disk encryption - Elastic Compute Service - Alibaba Cloud Documentation Center

Use Key Management Service (KMS) to encrypt your Elastic Compute Service (ECS) cloud disks. This helps you meet compliance requirements and protects your data against security threats such as physical theft and unauthorized access. Encryption ensures the confidentiality and integrity of your data.

How encryption and decryption works

Encrypted cloud disks use a two-tiered key system to secure your data:

Data key: Used to encrypt and decrypt the data on a cloud disk.
KMS key: Stored in KMS and used to encrypt and decrypt the data key.

When you create an encrypted cloud disk, a data key, encrypted by a KMS key, is stored with the cloud disk. When the instance starts, ECS requests KMS to decrypt the data key. ECS then loads the decrypted, plaintext data key into memory to encrypt and decrypt data.

Create an encrypted cloud disk

Create an encrypted cloud disk.
Important
Encryption is irreversible. Once encrypted, a cloud disk cannot be converted back to an unencrypted state.
Console
When you create a cloud disk, you can select the Encryption checkbox and then select a key from the KMS key drop-down list. KMS provides two types of keys:
- Service key: A key automatically created and managed by a cloud service for ECS. The key alias is alias/acs/ecs. Service keys are easy to use, meet basic encryption needs, and require no key lifecycle management.
- Customer master key (CMK): A key you create in or import to KMS, giving you full control. CMKs are suitable for scenarios with high data security requirements where you need to manage the key lifecycle, including key rotation, disabling, and deletion.
When you select a CMK for encryption for the first time, you must follow the on-screen instructions to grant the AliyunECSDiskEncryptDefaultRole role to ECS. This role lets ECS access KMS resources.
API
- Encrypt the system disk and data disks when creating an ECS instance.
  Call the RunInstances operation to create an ECS instance. Set the Encrypted and KMSKeyId parameters for the system disk or data disks to encrypt them.
- Create a standalone encrypted data disk.
  Call the CreateDisk operation to create a data disk. Set the Encrypted and KMSKeyId parameters to encrypt the disk.
Next steps.
- System disk: Ready to use.
- Data disk:
  - Created with an instance:
    - Windows: Ready to use.
    - Linux: You must initialize the disk before use.
  - Created separately: You must attach the disk to an ECS instance and then initialize the disk before use.

Convert an unencrypted cloud disk to an encrypted one

You cannot directly encrypt an existing unencrypted cloud disk. Instead, it needs to use encrypted custom images or encrypted snapshots, and can be indirectly achieved by changing the operating system or creating a new cloud disk.

System disk
1. Create a custom image from the target instance.
2. Copy the custom image and select the encryption option to create an encrypted copy.
3. Choose one of the following methods to create an encrypted system disk:
  - Replace the operating system of the original ECS instance by using the encrypted image.
  - Create a new instance from the encrypted image.
Data disk

Apply in production

Do not delete or disable keys unnecessarily
If you delete or disable a key, all encrypted resources that depend on it, such as cloud disks, snapshots, and images, cannot be decrypted. This can cause unrecoverable data loss. Before you proceed, check for any resources associated with the key.
Important
You are responsible for any data loss caused by disabling or deleting a key.
Restrict RAM users to create only encrypted cloud disks
To meet specific security and compliance requirements and prevent data leaks from unencrypted cloud disks, you can configure a custom policy for your Resource Access Management (RAM) users. This policy can restrict them to creating only encrypted cloud disks to protect data confidentiality.
Prevent RAM users from managing keys
To prevent accidental deletion or disabling of keys, you can grant RAM users read-only permissions for KMS by attaching the AliyunKMSReadOnlyAccess policy.
Encrypt existing system disks in batches
You can use the OOS public template ACS-ECS-BulkyEncryptSystemDisk to encrypt the system disks of ECS instances by replacing their operating systems.

Billing

Cloud disk fees: Encrypted cloud disks and unencrypted cloud disks are billed based on the same rules. The encryption feature itself does not incur additional charges. For more information, see Block Storage billing.
Key fees: Using keys is free of charge.

Quotas and limitations

Instance types
When you encrypt a system disk or create an encrypted data disk from a snapshot, you cannot attach the disk to the following instance types: ecs.ebmg5, ecs.ebmgn5t, ecs.ebmi3, ecs.sccg5, ecs.scch5, ecs.ebmc4, and ecs.ebmhfg5.
Cloud disk types
When you encrypt a system disk or create an encrypted data disk from a snapshot, you can only encrypt Enterprise SSD (ESSD) series cloud disks. This includes ESSDs, ESSD Entry disks, ESSD AutoPL disks, and Regional ESSDs.
Regions
- Regions where you cannot create encrypted cloud disks: China (Nanjing - Local Region - Closing Down), South Korea (Seoul).
- Regions where you cannot use CMKs: China (Fuzhou - Local Region - Closing Down), Thailand (Bangkok).

FAQ

How can I test and verify that my ECS cloud disk is truly encrypted?

You can verify that data is encrypted at rest by temporarily disabling its associated KMS key. If the disk is encrypted, the instance will be unable to decrypt its data, resulting in an I/O hang. This confirms that the encryption is active.

Important

This procedure will make the disk unreadable and cause the instance to fail. We recommend purchasing a test instance for this procedure.

When you purchase a test instance, create a system disk encrypted with a CMK.
Disable the CMK.
1. Log on to the KMS console. In the top navigation bar, select a region. In the navigation pane on the left, choose Resource > Keys.
2. On the Customer Master Keys or Default Keys tab, find the target key and click Actions in the Disable column.
3. In the Disable Key dialog box, confirm the action and click Confirm.
  Important
  Before you disable a CMK, check for any associated cloud resources to avoid service disruptions.
Verify the encryption.
After you connect to the ECS instance, run the sudo reboot command to restart the operating system. Because the KMS key associated with the encrypted system disk is disabled, the system cannot decrypt the data. This causes an I/O hang. If you then connect to the ECS instance using VNC, a black screen appears, which proves that the data is encrypted.
Re-enable the CMK and release the test instance.

References

For more information about KMS keys, see Key types that support cloud service encryption.
For more information about how encryption works, see Overview of KMS integration for cloud service encryption.