Data encryption is suitable for scenarios that require high security or have compliance requirements. You do not need to create or maintain the key management infrastructure. Encrypted storage helps you ensure data privacy and autonomy when data is stored on Elastic Compute Service (ECS) instances. This topic describes how to use the keys that are hosted in Key Management Service (KMS) to encrypt data stored in disk volumes.

Prerequisites

Overview

ECS uses the industry-standard AES-256 algorithm to encrypt disks with keys. Encryption keys can be the service keys provided by KMS or your own keys created by using the BYOK feature. Encryption and decryption have minimal impacts on ECS instance performance. The following types of data is encrypted when you create an encrypted disk and attach it to an ECS instance. The data is decrypted when it is read. For more information, see Encrypt a data disk.

  • Static data stored on the encrypted disk.
  • Data transmitted between the encrypted disk and the instance, excluding data in the operating system.
  • Data transmitted from the ECS instance to a backend storage cluster.
  • All snapshots created from the encrypted disk. These snapshots have the same encryption key as the disk.
  • All disks created from the encrypted snapshots.

Limits

  • You can encrypt the following categories of disks: enhanced SSDs, standard SSDs, ultra disks, and basic disks.
  • You cannot encrypt data in local disks.
  • You cannot directly convert unencrypted disks into encrypted disks.
  • You cannot directly convert encrypted disks into unencrypted disks.

Step 1 (optional): Authorize your ECS instance to access KMS

If you want to use keys that are created by using the BYOK feature, you must first authorize your ECS instance to access KMS. To do this, create a Resource Access Management (RAM) role and grant the required permissions to the role. Perform the following operations:

  1. Log on to the RAM console with an Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. On the Roles page, click Create Role.
  4. In the Create Role wizard, select Alibaba Cloud Service as the trusted entity and click Next.
  5. Select Normal Service Role as Role Type.
  6. Enter AliyunECSDiskEncryptDefaultRole in the RAM Role Name field and select Elastic Compute Service as the trusted service.
  7. Click OK and then click Close.
  8. In the left-side navigation pane of the ACK console, choose Permissions > Grants. Then, click Grant Permission.
  9. On the Grant Permission page, select Alibaba Cloud Account as the authorization scope. Enter AliyunECSDiskEncryptDefaultRole in the Principal field and click the role after it appears.
  10. Select the system policy AliyunKMSFullAccess or create a custom policy named AliyunECSDiskEncryptCustomizedPolicy.

    The AliyunKMSFullAccess policy provides full permissions. If you require finer-grained access control, perform the following steps to create a custom policy named AliyunECSDiskEncryptCustomizedPolicy:

    1. On the Grant Permission page, click Create Policy to go to the Create Policy page.
    2. On the Create Policy page, click the JSON tab. Copy the following content to the code editor:
      {
          "Version": "1",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "kms:DescribeKey",
                      "kms:GenerateDataKey",
                      "kms:Decrypt",
                      "kms:TagResource"
                  ],
                  "Resource": "*"
              }
          ]
      }
    3. Click Next Step, enter AliyunECSDiskEncryptCustomizedPolicy in the Name field, and then click OK.
  11. Click OK. Then, click Complete.

Step 2: Configure disk volume encryption

You can enable disk encryption only when you create a disk. When you mount or unmount a disk, no encryption-related operations are involved.

  1. Create a StorageClass.
    1. Create a file named sc-kms.yaml and copy the following content to the file:
      apiVersion: storage.k8s.io/v1
      kind: StorageClass
      metadata:
        name: csi-disk-encrypted
      provisioner: diskplugin.csi.alibabacloud.com
      parameters:
          fsType: ext4
          type: cloud_ssd
          encrypted: "true"
          kmsKeyId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
      reclaimPolicy: Delete
      Note
      • encrypted: specifies whether to create an encrypted disk. A value of true specifies that the StorageClass is used to create an encrypted disk.
      • kmsKeyId: specifies the KMS key that is used to encrypt the disk. If you do not set this parameter, the default customer master key (CMK) is used. If the encrypted parameter is set to false, this parameter does not take effect.
    2. Run the following command to create a StorageClass:
      kubectl create -f sc-kms.yaml
    3. Run the following command to query the created StorageClass:
      kubectl get sc csi-disk

      Expected output:

      NAME       PROVISIONER                       AGE
      csi-disk   diskplugin.csi.alibabacloud.com   9m5s
  2. Create a persistent volume claim (PVC).
    1. Create a file named sc-pvc.yaml and copy the following content to the file:
      apiVersion: v1
      kind: PersistentVolumeClaim
      metadata:
        name: disk-pvc
      spec:
        accessModes:
        - ReadWriteOnce
        resources:
          requests:
            storage: 20Gi
        storageClassName: csi-disk
    2. Run the following command to create a PVC:
      kubectl create -f sc-pvc.yaml
    3. Run the following command to query the created PVC:
      kubectl get pvc

      Expected output:

      NAME             STATUS   VOLUME                        CAPACITY   ACCESS MODES   STORAGECLASS   AGE
      disk-pvc         Bound    d-wz92s6d95go6ki9x****        25Gi       RWO            csi-disk       10m
    4. Run the following command to query the persistent volume (PV) that is bound to the PVC:
      kubectl get pv

      Expected output:

      NAME                     CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS   CLAIM                STORAGECLASS   REASON   AGE
      d-wz92s6d95go6ki9x****   25Gi       RWO            Retain           Bound    default/disk-pvc     csi-disk                10m

      The preceding output shows that a disk is created and the disk ID is d-wz92s6d95go6ki9x****.

  3. Check whether the disk is encrypted.
    1. Log on to the ECS console.
    2. In the left-side navigation pane, choose Storage & Snapshots > Disks.
    3. On the Disks page, verify that the d-wz92s6d95go6ki9x**** disk is in the Encrypted state.