ApsaraDB for HBase provides the disk encryption feature free of charge. This feature encrypts the data on each data disk of your instance based on block storage. This way, your data cannot be decrypted even if the data backups are leaked. This helps secure your data.


Encrypted disks are suitable for scenarios that require data security or regulatory compliance. The disk encryption feature encrypts and protects data that is stored on the disks of your ApsaraDB for HBase instances. You do not need to build or maintain your key management infrastructure to ensure the privacy, autonomy, and security of your data.

When you create an ApsaraDB for HBase performance-enhanced Edition instance, you can enable disk encryption. After disk encryption is enabled, the system encrypts the following types of data in the instance:

  • The static data that is stored on the disks.
  • The data that is transmitted between the disks and the instance.
  • All snapshots that are created on the encrypted disks. These snapshots are classified as encrypted snapshots.


ApsaraDB for HBase uses keys that are provided by Key Management Service (KMS) to encrypt disks.

Note ApsaraDB for HBase does not charge you for disk encryption. However, you are charged for KMS key management and KMS API calls. For more information about the pricing of KMS, see Billing.


  • Disk encryption does not affect your business workloads. You do not need to modify the code of your application.
  • Disk encryption does not compromise the performance of your ApsaraDB for HBase instance.


  • If you want to use the disk encryption feature, submit a ticket.
  • You can enable the disk encryption feature for an ApsaraDB for HBase instance only when you purchase the instance. After the instance is created, you cannot enable the feature.
  • The disk encryption feature cannot be disabled after you enable it.
  • After you enable the disk encryption feature for your ApsaraDB for HBase instance, the snapshots that are created for the instance are automatically encrypted. If you use these encrypted snapshots to create an ApsaraDB for HBase instance that uses standard SSDs or enhanced SSDs, the disk encryption feature is automatically enabled for the new ApsaraDB for HBase instance.
  • The disk encryption feature is available for ApsaraDB for HBase Performance-enhanced Edition instances that are deployed in all available regions.

Enable disk encryption

  1. Log on to the ApsaraDB for HBase console.
  2. On the Clusters page, click Create HBase Cluster.
  3. Configure the parameters that are described in the following table. For information about how to configure other parameters, see Purchase a cluster.
    Create an instance and enable the disk encryption feature
    Parameter Description
    Service Select HBase.
    Edition Select HBaseUE(Lindorm).
    Core Node Disk Type Select Standard SSD or Ultra Disk.
    Encryption Type Select CloudDisk.
    Service-linked Role To use the disk encryption feature for an instance, you must assign the service-linked role to ApsaraDB for HBase. If Created is displayed, the service-linked role is assigned to ApsaraDB for HBase. Otherwise, click Create Service-linked Role to create the role.

    For more information about the service-linked role, see AliyunServiceRoleForHBaseEncryption.

    Encryption Key Select a key. If you do not have a KMS key in the specified region, you can create a key in the KMS console.
    • The disk encryption feature of ApsaraDB for HBase supports only the keys that are manually created. When you create a regular key in the KMS console, you must set the Rotation Period parameter to Disable. For more information about how to create a key, see Create a CMK.
    • When you authorize ApsaraDB for HBase to access KMS, ActionTrail records this operation. For more information, see Use ActionTrail to query KMS event logs.
    Note For information about other parameters on the ApsaraDB for HBase buy page, see Purchase a cluster.
  4. Click Buy Now to create an ApsaraDB for HBase instance that uses encrypted disks.
  5. After the instance is created, you can go to the Basic Information page of the instance and view the encryption type and encryption key in the Core Node Information section.