Disk encryption protects data on your ApsaraDB for ClickHouse cluster at the block storage level. If backup data is leaked, it cannot be decrypted without the corresponding KMS key.
Disk encryption can only be enabled at cluster creation time and cannot be disabled afterward. Plan your encryption strategy before creating a cluster.
Limitations
Disk encryption must be enabled when you create a cluster. It cannot be enabled on an existing cluster.
Disk encryption cannot be disabled after it is enabled.
What disk encryption covers
Enabling disk encryption on a cluster encrypts:
Data at rest stored on the disk
Data transmitted between the disk and the Elastic Compute Service (ECS) instance
System disk data is not encrypted.
After encryption is enabled, all snapshots created for the cluster are automatically encrypted. Any cluster that uses disks based on encrypted snapshots also has disk encryption enabled automatically.
Disk encryption runs transparently — it does not interrupt your workloads, does not degrade performance, and you do not need to modify your application.
Billing
The disk encryption feature is free. Read and write operations on encrypted disks are not charged.
Key Management Service (KMS) charges apply separately for key hosting and API operation calls. For details, see Billing of KMS 1.0.
Enable disk encryption
Disk encryption is configured during cluster creation. For a full walkthrough of cluster creation, see Create a cluster.
Prerequisites
Before you begin, ensure that you have:
A KMS key created in the KMS console with Rotation Period set to Disable. Only manually created keys are supported — system-generated keys cannot be used. For instructions, see Create a key
KMS activated in your account
Steps
On the cluster creation page, set Storage Type to ESSD or Ultra Cloud Disk.
Set Encryption Type to Disk Encryption.
Select the KMS key to use for disk encryption.
Click Buy Now to create the cluster.
If you authorize your account to access KMS, ActionTrail records the operations. For details, see Use ActionTrail to query management events for Key Management Service.
View the encryption key for a cluster
Log on to the ApsaraDB for ClickHouse console.
On the Clusters page, click the Default Instances tab, then click the ID of the cluster.
On the Cluster Information page, find the key details in the Cluster Properties section.
