All Products
Search

This Product

    Container Service for Kubernetes:Encrypt disk volumes

    Document Center

    Container Service for Kubernetes:Encrypt disk volumes

    Last Updated:Mar 25, 2025

    After you enable the disk encryption feature, the system automatically encrypts data transmitted to a disk and decrypts the data when it is read. Disk encryption is suitable for scenarios that require high security or have compliance requirements. You can protect the privacy and autonomy of your data without the need to create and maintain a key management infrastructure. This topic describes how to use the keys that are hosted in Key Management Service (KMS) to encrypt data stored in disk volumes.

    Feature description

    How disk volume encryption works

    Alibaba Cloud disks are encrypted by using the industry-standard AES-256 encryption algorithm and KMS. KMS uses the double-key design and the envelope encryption mechanism to encrypt data. The double-key design uses customer master keys (CMKs) and data keys (DKs) generated by the CMKs. for encryption and decryption. The CMKs take effect on the DKs, and the DKs take effect on business data. KMS performs the following steps to use the envelope encryption mechanism to implement encryption:

    1. Encrypt a DK.

      A CMK is used to encrypt the DK before the DK can be used. A DK encrypted in non-plaintext can be securely stored together with the encrypted business data. This way, the DK cannot be decrypted even if unauthorized users access the storage medium, because the users do not have the CMK.

    2. Store and read encrypted data.

      When encrypted data is read, a KMS request is sent to decrypt the DK. After KMS verifies the request, KMS returns a plaintext DK. The process is executed in memory, and the DK is not stored on a storage medium. The plaintext DK in the hypervisor memory is used to decrypt the data during disk I/O operations.

    Note

    During the envelope encryption process, the plaintext CMK is not stored or used outside the hardware security module managed by KMS. The plaintext DK is used only in the memory of the host on which a service instance resides, but is never stored on a storage medium.

    For more information, see Encryption process.

    Data types that can be encrypted

    The following types of data are encrypted when you create an encrypted disk and attach it to an Elastic Compute Service (ECS) instance. The data is decrypted when it is read.

    • Static data stored on the encrypted disk.

    • Data transmitted between the encrypted disk and the ECS instance, except data in the instance operating system.

    • Data transmitted from the ECS instance to a backend storage cluster.

    • All snapshots created from the encrypted disk. These snapshots have the same encryption key as the disk.

    • All disks created from the encrypted snapshots.

    Prerequisites

    • The Container Storage Interface (CSI) plug-in is installed in the cluster.

      Note

      • In the left-side navigation pane of the cluster management page, choose Operations > Add-ons. On the Storage tab, you can check whether csi-plugin and csi-provisioner are installed. For more information about how to update CSI plug-ins to use specific capabilities, see Update csi-plugin and csi-provisioner.

      • If your cluster uses FlexVolume, you must migrate the cluster to the CSI plug-in because FlexVolume is no longer available. For more information, see Upgrade from FlexVolume to CSI.

    • KMS is activated.

    Usage notes

    • You can encrypt Enterprise SSDs (ESSDs), ESSD AutoPL disks, ESSD Entry disks, standard SSDs, ultra disks, and basic disks.

    • You cannot encrypt local disks.

    • You cannot directly convert unencrypted disks into encrypted disks or directly convert encrypted disks into unencrypted disks.

    Authorize ECS to access KMS

    When you use KMS to encrypt disks, you must first authorize ECS to access KMS.

    1. Create a Resource Access Management (RAM) user that is used to access KMS. For more information, see Create a RAM role for a trusted Alibaba Cloud service.

      Note

      If the AliyunECSDiskEncryptDefaultRole role already exists, you can skip this step.

      Take note of the following parameters:

      • Set Principal Type to Cloud Service.

      • Set Principal Name to Elastic Compute Service.

      • Set Role Name to AliyunECSDiskEncryptDefaultRole.

    2. Grant permissions to the AliyunECSDiskEncryptDefaultRole role. For more information, see Grant permissions to a RAM role.

      Take note of the following parameters:

      • Set to Resource Scope to Account.

      • Select the AliyunKMSFullAccess system policy or the AliyunECSDiskEncryptCustomizedPolicy custom policy in the Policy section.

        Important

        The AliyunKMSFullAccess system policy provides full permissions. If you require finer-grained access control, refer to Create custom policies.

        Click to view the permissions provided by the AliyunECSDiskEncryptCustomizedPolicy policy

        {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:DescribeKey",
                "kms:GenerateDataKey",
                "kms:Decrypt",
                "kms:TagResource"
            ],
            "Resource": "*"
        }
    ]
}

        1. Click Grant permissions.

    Encrypt disk volumes

    You can enable disk encryption only when you create a disk. When you mount or unmount a disk, no encryption-related operations are involved.

    1. Create a StorageClass that enables disk encryption.

      1. Modify the following YAML template based on your business requirements and copy the modified template to a file named sc-kms.yaml: 

        apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: csi-disk-encrypted
provisioner: diskplugin.csi.alibabacloud.com
parameters:
    fsType: ext4
    type: cloud_essd
    encrypted: "true"
    kmsKeyId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
reclaimPolicy: Delete

        Take note of the following parameters in the parameters section:

        • encrypted: specifies whether to enable disk encryption for disks created by using the StorageClass. If you want to use the StorageClass to create encrypted disks, set the value to true.

        • kmsKeyId: specifies the KMS key that is used to encrypt the disks created by using the StorageClass. If you do not set this parameter, the default CMK is used. If you set encrypted to false, this parameter does not take effect.

      2. Create a StorageClass. 

        kubectl create -f sc-kms.yaml

    2. Create a persistent volume claim (PVC).

      1. Create a file named sc-pvc.yaml and copy the following content to the file: 

        apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: disk-pvc
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 20Gi
  storageClassName: csi-disk-encrypted

      2. Create a PVC. 

        kubectl create -f sc-pvc.yaml

      3. Check the PVC. 

        kubectl get pvc

        The following output shows that the PVC is created and bound to a persistent volume (PV) that is automatically created by the system. You can view the disk ID in the VOLUME column. 

        NAME       STATUS    VOLUME                   CAPACITY   ACCESS MODES   STORAGECLASS         VOLUMEATTRIBUTESCLASS   AGE
disk-pvc   Bound     d-2ze0nmbv2var0d9h****   20Gi       RWO            csi-disk-encrypted   <unset>                 6m20s

    3. Check whether the disk is encrypted.

      1. Log on to the ECS console.

      2. In the left-side navigation pane, choose Storage & Snapshots > Block Storage.

      3. On the Cloud Disk tab, find the disk that is created and click its ID.

      4. On the Basic Information tab of the disk details page, check whether Encrypted is displayed in the Encrypted/Unencrypted field.

    References

    For more information about disk encryption, see Encrypt cloud disks.