All Products
Search
Document Center

Elastic Compute Service:Security capabilities overview

Last Updated:Apr 27, 2026

ECS provides layered security protection, including hardware encryption, trusted computing, and confidential computing.

Overview

ECS provides default memory encryption, trusted computing (vTPM), and confidential computing (Confidential VMs and enclaves).

  • Default memory encryption: Protects in-memory data from physical attacks with no changes to your OS or applications. Supported by default on instance families such as g8i general-purpose, c8i compute-optimized, and r8i memory-optimized.

  • Trusted computing: Trusted instances use a vTPM as the root of trust to enable trusted boot and verify core components during startup, ensuring they have not been tampered with.

  • Confidential computing: Uses CPU hardware encryption and isolation to provide a trusted execution environment (TEE) that protects data from unauthorized modification. Features such as remote attestation verify the integrity of the cloud platform and your instances.

Alibaba Cloud deploys the Ali-PRoT (Platform Root-of-Trust) hardware security chip on ECS hosts. This chip secures underlying hardware and firmware without extra configuration. Core capabilities include:

  • Proactive firmware measurement: Before host startup, Ali-PRoT verifies firmware integrity (such as BIOS and BMC). Unlike traditional passive recording methods, Ali-PRoT proactively detects and blocks potential threats before the firmware executes. Only verified servers can start.

  • Runtime tamper-proofing: Ali-PRoT continuously monitors firmware reads and writes at runtime and blocks unauthorized access and modifications in real time.

  • Hardware identity authentication: Ali-PRoT authenticates physical servers through the chip's unique hardware identity and the cloud platform's security control system, preventing unauthorized devices from accessing the platform.

Security capabilities at a glance

Best practices