You can enable the Account-level Elastic Block Storage (EBS) Default Encryption feature by region. If you create disks, copy snapshots, or copy images in a region for which the Account-level EBS Default Encryption feature is enabled, the disks, snapshot copies, or image copies are forcefully encrypted without the need to separately specify encryption parameters. This simplifies parameter configuration and improves user experience. The Account-level EBS Default Encryption feature is suitable for the accounts of enterprises and security operators. The feature ensures that all new disks created by O&M personnel and resource creation personnel comply with security standards. This allows for centralized management of encrypted resources.
Limits
Take note of the following limits on the Account-level EBS Default Encryption feature:
This feature is supported only for specific users. If you want to use this feature, submit a ticket.
Before you can enable this feature for a Resource Access Management (RAM) user, the Alibaba Cloud account owner must attach the AliyunECSFullAccess policy to the RAM user to grant them the required permissions. For more information, see Grant permissions to a RAM user.
Before you can enable this feature for a region, you must activate Key Management Service (KMS) in the region. For more information, see Purchase and enable a KMS instance.
After you enable this feature for a region, the following limits apply in the region:
This feature takes effect on disks that are created after the feature is enabled and does not take effect on existing disks.
You cannot create non-encrypted disks, snapshot copies, or image copies.
You cannot create encrypted standard SSDs, ultra disks, or basic disks from non-encrypted snapshots or images.
Configure the Account-level EBS Default Encryption feature
Enable the Account-level EBS Default Encryption feature
You must configure the Account-level EBS Default Encryption feature by region. If you create disks, copy snapshots, or copy images in a region for which the Account-level EBS Default Encryption feature is enabled, the disks, snapshot copies, or image copies are forcefully encrypted.
Use the ECS console
Log on to the Elastic Compute Service (ECS) console.
In the Common Features section of the Overview page, click Configure Encryption Settings.
Click Add Region. Select the regions for which you want to enable the Account-level EBS Default Encryption feature, specify a default encryption key for each region that you selected, and then click Confirm.
NoteWhen you specify a default encryption key, you can select the service key whose alias is alias/acs/ecs or a customer master key (CMK) that you created in KMS from the drop-down list. For information about encryption keys, see the Encryption keys section of the "Encrypt cloud disks" topic. The CMK that you select must meet the region and permission requirements. For more information, see the Limits section of the "Encrypt cloud disks" topic.
Create an encrypted disk. For more information, see Create an empty data disk.
Encryption is automatically selected and cannot be cleared. The default encryption key of the region in which you create the disk is automatically used to encrypt the disk. You can select another encryption key from the encryption key drop-down list.
NoteIf you create disks from snapshots, you can create only Enterprise SSDs (ESSDs), ESSD Entry disks, or ESSD AutoPL disks.
Call an API operation
Call the EnableDiskEncryptionByDefault operation to enable the Account-level EBS Default Encryption feature for a region.
Disable the Account-level EBS Default Encryption feature
You can disable the Account-level EBS Default Encryption feature by region based on your business requirements. If you want to encrypt a disk in a region after you disable the Account-level EBS Default Encryption feature for the region, you can select Encryption when you create the disk. For more information, see the Encrypt a cloud disk section of the "Encrypt cloud disks" topic.
Use the ECS console
Log on to the ECS console.
In the Common Features section of the Overview page, click Configure Encryption Settings.
Click the
icon that corresponds to the region for which you want to disable the Account-level EBS Default Encryption feature. 
Call an API operation
Call the DisableDiskEncryptionByDefault operation to disable the Account-level EBS Default Encryption feature for a region.
Encryption results
You can use one of the following methods to encrypt disks, snapshots, and images:
Enable encryption and specify encryption keys when you create disks, snapshots, and images.
Enable the Account-level EBS Default Encryption feature. If you create disks, copy snapshots, or copy images in a region for which the feature is enabled, the disks, snapshot copies, or image copies are automatically encrypted by using the region-specific default encryption key. If you specify encryption keys for the disks, snapshot copies, or image copies, the specified encryption keys take precedence over the region-specific default encryption key.
NoteIf multiple encryption keys are available for a disk, snapshot copy, or image copy, the encryption key that has the highest priority is used. A disk, snapshot copy, or image copy selects an encryption key from the available encryption keys in the following order: User-specified encryption key > Encryption key of the source snapshot or image > Default encryption key > Service key whose alias is alias/acs/ecs.
Disk encryption results
Whether disk encryption is enabled | Disk source | Account-level EBS Default Encryption disabled | Account-level EBS Default Encryption enabled | ||
Encryption result (no encryption key is specified) | Encryption result (an encryption key is specified) | Encryption result (no encryption key is specified) | Encryption result (an encryption key is specified) | ||
No (Encryption is cleared when you create the disk.) | New empty disk | Not encrypted | N/A | Encrypted by using the default encryption key | N/A |
A non-encrypted snapshot or image | Not encrypted | Encrypted by using the default encryption key | |||
An encrypted snapshot or image | Encrypted by using the encryption key of the snapshot or image | Encrypted by using the encryption key of the snapshot or image | |||
A non-encrypted snapshot or image shared by another account | Not encrypted | Encrypted by using the default encryption key | |||
An encrypted snapshot or image shared by another account (Only encrypted snapshots that use Bring Your Own Key (BYOK) keys support sharing and you must change the keys when you share the snapshots.) | Encrypted by using the service key | Encrypted by using the default encryption key | |||
Yes (Encryption is selected when you create the disk.) | New empty disk | Encrypted by using the service key | Encrypted by using the specified encryption key | Encrypted by using the default encryption key | Encrypted by using the specified encryption key |
A non-encrypted snapshot or image | Encrypted by using the service key | Encrypted by using the specified encryption key | Encrypted by using the default encryption key | Encrypted by using the specified encryption key | |
An encrypted snapshot or image | Encrypted by using the encryption key of the snapshot or image | Encrypted by using the specified encryption key | Encrypted by using the encryption key of the snapshot or image | Encrypted by using the specified encryption key | |
A non-encrypted snapshot or image shared by another account | Encrypted by using the service key | Encrypted by using the specified encryption key | Encrypted by using the default encryption key | Encrypted by using the specified encryption key | |
An encrypted snapshot or image shared by another account (Only encrypted snapshots that use BYOK keys support sharing and you must change the keys when you share the snapshots.) | Encrypted by using the service key | Encrypted by using the specified encryption key | Encrypted by using the default encryption key | Encrypted by using the specified encryption key | |
Snapshot encryption results
Whether snapshot encryption is enabled | Snapshot source | Account-level EBS Default Encryption disabled | Account-level EBS Default Encryption enabled | ||
Encryption result (no encryption key is specified) | Encryption result (an encryption key is specified) | Encryption result (no encryption key is specified) | Encryption result (an encryption key is specified) | ||
N/A (snapshot creation) | A non-encrypted disk | Not encrypted | N/A | Not encrypted | N/A |
An encrypted disk | Encrypted by using the encryption key of the disk | Encrypted by using the encryption key of the disk | |||
No (Copy is selected when you copy the snapshot.) | A non-encrypted snapshot copied across regions (You can use the Copy feature to copy snapshots only across regions.) | Not encrypted | Encrypted by using the default encryption key of the destination region | ||
An encrypted snapshot copied across regions (You can use the Copy feature to copy snapshots only across regions.) | N/A (You can copy encrypted snapshots only by using the Copy and Encrypt feature.) | N/A (You can copy encrypted snapshots only by using the Copy and Encrypt feature.) | |||
A non-encrypted snapshot shared by another account and copied across regions | Not encrypted | Encrypted by using the default encryption key of the destination region | |||
An encrypted snapshot shared by another account and copied across regions | N/A (You can copy encrypted snapshots only by using the Copy and Encrypt feature.) | N/A (You can copy encrypted snapshots only by using the Copy and Encrypt feature.) | |||
Yes (Copy and Encrypt is selected when you copy the snapshot.) | A snapshot copied and encrypted within a region, regardless of whether the snapshot is encrypted or not or shared by another account or not | Encrypted by using the service key of the current region | Encrypted by using the specified encryption key | Encrypted by using the default encryption key | Encrypted by using the specified encryption key |
A snapshot copied and encrypted across regions, regardless of whether the snapshot is encrypted or not or shared by another account or not | Encrypted by using the service key of the destination region | Encrypted by using the default encryption key of the destination region | |||
Image encryption results
Whether image encryption is enabled | Image source | Account-level EBS Default Encryption disabled | Account-level EBS Default Encryption enabled | ||
Encryption result (no encryption key is specified) | Encryption result (an encryption key is specified) | Encryption result (no encryption key is specified) | Encryption result (an encryption key is specified) | ||
N/A (image creation) | An ECS instance that has non-encrypted disks | Not encrypted | N/A | Not encrypted | N/A |
An ECS instance that has encrypted disks | Encrypted by using the encryption keys of the encrypted disks | Encrypted by using the encryption keys of the encrypted disks | |||
No (Copy is selected when you copy the image.) | A non-encrypted image copied across regions (You can use the Copy feature to copy images only across regions.) | Not encrypted | Encrypted by using the default encryption key of the destination region | ||
An encrypted image copied across regions (You can use the Copy feature to copy images only across regions.) | N/A (You can copy encrypted images only by using the Copy and Encrypt feature.) | N/A (You can copy encrypted images only by using the Copy and Encrypt feature.) | |||
A non-encrypted image shared by another account and copied across regions | Not encrypted | Encrypted by using the default encryption key of the destination region | |||
An encrypted image shared by another account and copied across regions | N/A (You can copy encrypted images only by using the Copy and Encrypt feature.) | N/A (You can copy encrypted images only by using the Copy and Encrypt feature.) | |||
Yes (Copy and Encrypt is selected when you copy the image.) | An image copied and encrypted within a region, regardless of whether the image is encrypted or not or shared by another account or not | Encrypted by using the service key of the current region | Encrypted by using the specified encryption key | Encrypted by using the default encryption key | Encrypted by using the specified encryption key |
An image copied and encrypted across regions, regardless of whether the image is encrypted or not or shared by another account or not | Encrypted by using the service key of the destination region | Encrypted by using the default encryption key of the destination region | |||
References
You can call API operations to perform the following tasks:
Change or reset the default encryption key used by the Account-level EBS Default Encryption feature in a region. For more information, see ModifyDiskDefaultKMSKeyId or ResetDiskDefaultKMSKeyId.
Query the default encryption key used by the Account-level EBS Default Encryption feature in a region. For more information, see DescribeDiskDefaultKMSKeyId.
Query whether the Account-level EBS Default Encryption feature is enabled in a region. For more information, see DescribeDiskEncryptionByDefaultStatus.