All Products
Search

This Product

    Container Service for Kubernetes:Encrypt disk volumes

    Document Center

    Container Service for Kubernetes:Encrypt disk volumes

    Last Updated:Mar 26, 2026

    Workloads with security or compliance requirements need data protected at rest without the overhead of managing key infrastructure. Disk encryption lets you automatically encrypt data before it is written to a disk and decrypt it when read, using keys managed by Key Management Service (KMS). This topic explains how to configure encrypted cloud disk volumes for workloads in an ACK cluster using a StorageClass.

    This topic covers encrypting data volumes for workloads via a StorageClass. It does not cover encrypting node root volumes.

    How encryption works

    Alibaba Cloud disks use AES-256 encryption managed by KMS. KMS implements a two-tier key hierarchy — customer master keys (CMKs) and data keys (DKs) — using envelope encryption:

    1. Encrypt a data key. KMS uses the CMK to encrypt a DK. The encrypted DK is stored alongside the encrypted data. Without the CMK, the DK cannot be decrypted.

    2. Store and read encrypted data. When encrypted data is read, a KMS request is sent to decrypt the DK. After KMS verifies the request, it returns the plaintext DK in memory. The plaintext DK is used during disk I/O and is never written to storage.

    The plaintext CMK never leaves the hardware security module managed by KMS. The plaintext DK exists only in hypervisor memory and is never stored on disk.

    For more information, see Encryption process.

    Data types that can be encrypted

    The following types of data are encrypted when you create an encrypted disk and attach it to an Elastic Compute Service (ECS) instance. The data is decrypted when it is read.

    • Static data stored on the encrypted disk.

    • Data transmitted between the encrypted disk and the ECS instance, except data in the instance operating system.

    • Data transmitted from the ECS instance to a backend storage cluster.

    • All snapshots created from the encrypted disk. These snapshots have the same encryption key as the disk.

    • All disks created from the encrypted snapshots.

    Supported disk types

    The following disk types support encryption:

    Disk type Encryption supported
    Enterprise SSDs (ESSDs) Yes
    ESSD AutoPL disks Yes
    ESSD Entry disks Yes
    Standard SSDs Yes
    Ultra disks Yes
    Basic disks Yes
    Local disks No

    Limitations

    • Encryption can only be enabled when creating a disk. You cannot change the encryption state after a disk is created. When you mount or unmount a disk, no encryption-related operations are involved.

    • Converting an unencrypted disk to encrypted, or an encrypted disk to unencrypted, is not supported.

    Authorize ECS to access KMS

    Before encrypting disks, grant Elastic Compute Service (ECS) access to KMS by creating and configuring the AliyunECSDiskEncryptDefaultRole RAM role.

    1. Create the RAM role. For more information, see Create a RAM role for a trusted Alibaba Cloud service. Use the following values:

      If the AliyunECSDiskEncryptDefaultRole role already exists, skip this step.
      Field Value
      Principal Type Cloud Service
      Principal Name Elastic Compute Service
      Role Name AliyunECSDiskEncryptDefaultRole

    2. Grant permissions to the AliyunECSDiskEncryptDefaultRole role. For more information, see Grant permissions to a RAM role. Use the following values:

      Important

      AliyunKMSFullAccess grants full KMS permissions. For least-privilege access, use a custom policy with the following permissions:

      Field Value
      Resource Scope Account
      Policy AliyunKMSFullAccess (full KMS access) or AliyunECSDiskEncryptCustomizedPolicy (minimum required permissions) 
      {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:DescribeKey",
                "kms:GenerateDataKey",
                "kms:Decrypt",
                "kms:TagResource"
            ],
            "Resource": "*"
        }
    ]
}

    3. Click Grant permissions.

    Encrypt disk volumes

    Disk encryption is configured at the StorageClass level. Any persistent volume claim (PVC) that uses an encryption-enabled StorageClass is backed by an encrypted disk.

    Prerequisites

    Before you begin, make sure that you have:

    • The Container Storage Interface (CSI) plug-in installed in the cluster. In the left-side navigation pane of the cluster management page, choose Operations > Add-ons. On the Storage tab, check that csi-plugin and csi-provisioner are installed. For more information, see Update csi-plugin and csi-provisioner.

      If your cluster uses FlexVolume, migrate to the CSI plug-in before proceeding. FlexVolume is no longer supported. See Upgrade from FlexVolume to CSI.

    • KMS activated

    • The AliyunECSDiskEncryptDefaultRole RAM role configured with KMS permissions (see Authorize ECS to access KMS)

    Step 1: Create an encrypted StorageClass

    1. Create a file named sc-kms.yaml with the following content, adjusting parameters as needed:

      Parameter Description
      encrypted Set to "true" to encrypt disks created by this StorageClass.
      kmsKeyId The KMS key used to encrypt the disk. If not set, the default CMK is used. Has no effect when encrypted is "false".
      type The disk type.
      fsType The file system type. 
      apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: csi-disk-encrypted
provisioner: diskplugin.csi.alibabacloud.com
parameters:
    fsType: ext4
    type: cloud_essd
    encrypted: "true"
    kmsKeyId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
reclaimPolicy: Delete

      The following table describes the encryption-related parameters in the parameters section:

    2. Create the StorageClass:

      kubectl create -f sc-kms.yaml

    Step 2: Create a PVC

    1. Create a file named sc-pvc.yaml with the following content:

      apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: disk-pvc
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 20Gi
  storageClassName: csi-disk-encrypted

    2. Create the PVC:

      kubectl create -f sc-pvc.yaml

    3. Verify that the PVC is bound:

      kubectl get pvc

      The output should show the PVC in Bound status. The VOLUME column shows the ID of the automatically provisioned disk:

      NAME       STATUS    VOLUME                   CAPACITY   ACCESS MODES   STORAGECLASS         VOLUMEATTRIBUTESCLASS   AGE
disk-pvc   Bound     d-2ze0nmbv2var0d9h****   20Gi       RWO            csi-disk-encrypted   <unset>                 6m20s

    Step 3: Verify disk encryption

    1. Log on to the ECS console.

    2. In the left-side navigation pane, choose Storage & Snapshots > Block Storage.

    3. Log on to the ECS console.

    4. On the Cloud Disk tab, find the disk and click its ID.

    5. On the Basic Information tab, confirm that Encrypted appears in the Encrypted/Unencrypted field.

    What's next

    For more information about disk encryption on Alibaba Cloud, see Encrypt cloud disks.