This topic introduces the basic concepts of encryption. Encryption can help you secure your data stored in Alibaba Cloud ECS and comply with security standards. You can protect the privacy, autonomy, and security of your data and ensure the security of your business data without the need to build or maintain key management infrastructure. Both system disks and data disks can be encrypted.

Features

Alibaba Cloud ECS uses the industry-standard AES-256 algorithm to encrypt disks. Encryption and decryption have minimal impacts on ECS instance performance.

  • Data in the operating system of the ECS instance is automatically encrypted when you create an ECS instance from an encrypted system disk or image. The data is automatically decrypted when it is read. For more information, see Encrypt a system disk.
  • The following types of data are automatically encrypted when you create an encrypted data disk and attach it to an ECS instance. The data is automatically decrypted when it is read. For more information, see Encrypt a data disk.
    • Static data stored on the disk.
    • Data transmitted between the disk and the instance. Data in the operating system is not encrypted again.
    • All snapshots created from an encrypted disk. These snapshots have the same encryption key as the disk.
    • All disks that are created from encrypted snapshots.

Keys

A customer master key (CMK) contains metadata such as the key ID, creation date, description, rotation plan, lifecycle status, and the key material that is used to encrypt and decrypt data. If you use a CMK to encrypt a disk, all subsequent data written to the disk is also encrypted by using the same CMK. The CMK is also associated with all snapshots and the disks that are created from these snapshots. The CMK is used only in the memory of the host running your ECS instance. It is not stored on any storage media in plaintext. CMKs are stored in the key management infrastructure provided by Key Management Service (KMS). CMKs provide strong physical and logical security and protection against unauthorized access. The KMS infrastructure of Alibaba Cloud conforms to the recommendations in NIST SP 800-57 and uses cryptographic algorithms that comply with FIPS Publication 140-2.

You can select the following types of CMKs to encrypt disks.
Type Description Source Scenario
Service key, the first key in the following figure When you activate KMS and use encryption for the first time within a region, KMS automatically creates a dedicated CMK for the ECS service within the region. The alias of the CMK is acs/ecs. Service keys cannot be deleted or disabled. The default service CMK provided by KMS. You can use this CMK when you want to enhance efficiency and convenience. For more information, see What is KMS?.
Common key, the second key in the following figure The encryption keys created by you. You have full management permissions to create, rotate, and disable these keys, and define access control over them.
  • Source 1: The key that is created in KMS.
  • Source 2: The key that is created in KMS from imported key material (BYOK).
You can use common keys to improve operational flexibility and increase the number of keys.
Difference between key types

Billing

The billing information of encryption features and operations is described in the following table. Ensure that your account balance is sufficient. Otherwise, operations that incur costs may fail.

Feature or operation Billing
Encrypt the system disks and data disks No
Use service keys that are provided by KMS No
CMKs created by you in KMS, including BYOK Yes
Read and write operations on disks, such as mounting (mount) and unmounting (umount) of disks, creation of partitions, and formatting of file systems. No

Limits

  • You can encrypt data disks, such as basic disks, ultra disks, standard SSDs, and Shared Block Storage devices.
  • You can encrypt system disks, such as ultra disks and standard SSDs.
  • You cannot encrypt enhanced SSDs, local disks, and ECS Bare Metal Instances.
  • You can encrypt system disks only when you are copying their custom images. You cannot perform the following operations on encrypted system disks:
    • Convert encrypted images to unencrypted images.
    • Copy encrypted images across regions.
    • Share encrypted images.
    • Export encrypted images.
  • You cannot directly convert unencrypted disks to encrypted disks.
  • You cannot directly convert encrypted disks to unencrypted disks.