All Products
Search
Document Center

Elastic Compute Service:Enable account-level default encryption for EBS

Last Updated:May 15, 2026

Enable per-region EBS default encryption to auto-encrypt all new disks, copied snapshots, and images for unified security compliance.

Limitations

Account-level default encryption has the following limitations:

  • Available only to specific users. To request access, submit a ticket.

  • To configure account-level default encryption, grant the AliyunECSFullAccess permission to a RAM user. See Manage RAM user permissions.

  • KMS is activated. See Purchase and enable a KMS instance.

  • After account-level default encryption is enabled:

    • Applies only to new disks. Existing disks are not affected.

    • Unencrypted disks cannot be created, and standard copies of snapshots or images are not supported.

    • Encrypted standard SSDs, ultra disks, or basic disks cannot be created from unencrypted snapshots or images.

Set up account-level default encryption for EBS

Enable account-level default encryption for EBS

Configure account-level default encryption per region. Once enabled, all new disks, copied snapshots, and copied images in that region are encrypted by default.

Use the console

  1. Log on to the ECS console.

  2. On the Overview page, in the Common Features section on the right, click Configure Encryption Settings.

  3. Click Add Region, select the region and default encryption key, then click OK.

    Note

    Select a service key (alias/acs/ecs) or a custom master key created in KMS. For encryption key details, see Encrypt a disk. For region and permission limits on master keys, see Encrypt a disk.

    image

  4. Create an encrypted disk. See Create an empty data disk.

    Encrypt is selected by default and cannot be deselected. The disk is encrypted with the configured default key. To use a different key, select one from the drop-down list.

    Note

    If you create a disk from a snapshot, only ESSD, ESSD Entry, or ESSD AutoPL disks are supported.

    image

Use the API

Call EnableDiskEncryptionByDefault to enable account-level default encryption for EBS.

Disable account-level default encryption for EBS

Disable account-level default encryption for a region at any time. Individual disks can still be encrypted manually. See Create an encrypted disk.

Use the console

  1. Log on to the ECS console.

  2. On the Overview page, in the Common Features section on the right, click Configure Encryption Settings.

  3. In the row for the target region, click the image icon to disable default encryption.

    image

Use the API

Call DisableDiskEncryptionByDefault to disable default encryption for the target region.

Encryption results

Disks, snapshots, and images can be encrypted in two ways:

  • Specify an encryption key when creating a disk, snapshot, or image.

  • With account-level default encryption enabled, new disks and copied snapshots or images are encrypted with the configured default key. A specified key takes precedence over the default key.

    Note

    When multiple keys apply, the highest-priority key is used: Specified key > Snapshot key (for disks created from snapshots or for copied snapshots) > Configured default key > Service key (alias/acs/ecs).

Disk encryption results

Encryption specified

Disk source

Account-level default encryption disabled

Account-level default encryption enabled

Default (key not specified)

Custom (key specified)

Default (key not specified)

Custom (key specified)

No

(Did not select Encrypt when creating the disk)

New (empty) disk

Not encrypted

Not applicable

Encrypted with the configured default key

Not applicable

From an unencrypted snapshot/image

Not encrypted

Encrypted with the configured default key

From an encrypted snapshot/image

Encrypted with the snapshot/image key

Encrypted with the snapshot/image key

From a shared unencrypted snapshot/image

Not encrypted

Encrypted with the configured default key

From a shared encrypted snapshot/image

(Only snapshots encrypted with a Bring-Your-Own-Key (BYOK) key can be shared, and the key must be changed when sharing)

Encrypted with the service key

Encrypted with the configured default key

Yes

(Selected Encrypt when creating the disk)

New (empty) disk

Encrypted with the service key

Encrypted with the specified key

Encrypted with the configured default key

Encrypted with the specified key

From an unencrypted snapshot/image

Encrypted with the service key

Encrypted with the specified key

Encrypted with the configured default key

Encrypted with the specified key

From an encrypted snapshot/image

Encrypted with the snapshot's key

Encrypted with the specified key

Encrypted with the snapshot's key

Encrypted with the specified key

From a shared unencrypted snapshot/image

Encrypted with the service key

Encrypted with the specified key

Encrypted with the configured default key

Encrypted with the specified key

From a shared encrypted snapshot/image

(Only snapshots encrypted with a Bring-Your-Own-Key (BYOK) key can be shared, and the key must be changed when sharing)

Encrypted with the service key

Encrypted with the specified key

Encrypted with the configured default key

Encrypted with the specified key

Snapshot encryption results

Specify Encryption

Snapshot source

Account-level default encryption disabled

Account-level default encryption enabled

Default (key not specified)

Custom (key specified)

Default (key not specified)

Custom (key specified)

Not applicable

(When creating a snapshot)

Creating an Unencrypted Cloud Disk

Not encrypted

Not applicable

Not encrypted

Not applicable

Creating an Encrypted Cloud Disk

Encrypted with the disk's key

Encrypted with the disk's key

No

(Selected Copy when copying the snapshot)

Cross-region copy of an unencrypted snapshot

(Standard copy is only supported for cross-region copies)

Not encrypted

Encrypted with the default key configured in the destination region

Cross-region copy of an encrypted snapshot

(Standard copy is only supported for cross-region copies)

Not applicable

(Encrypted snapshots only support encrypted copy)

Not applicable

(Encrypted snapshots only support encrypted copy)

Cross-region copy of a shared unencrypted snapshot

Not encrypted

Encrypted with the default key configured in the destination region

Cross-region copy of a shared encrypted snapshot

Not applicable

(Encrypted snapshots only support encrypted copy)

Not applicable

(Encrypted snapshots only support encrypted copy)

Yes

(Selected Copy and Encrypt when copying the snapshot)

Encrypted copy of a snapshot (any type) in the same region

Encrypted with the service key of the current region

Encrypted with the specified key

Encrypted with the configured default key

Encrypted with the specified key

Encrypted copy of a snapshot (any type) to another region

Encrypted with the service key of the destination region

Encrypted with the default key configured in the destination region

Image encryption results

Encryption specified

Image Source

Account-level default encryption disabled

Account-level default encryption enabled

Default (key not specified)

Custom (key specified)

Default (key not specified)

Custom (key specified)

Not applicable

(When creating an image)

Created from an ECS instance with unencrypted disks

Not encrypted

Not applicable

Not encrypted

Not applicable

Creating an ECS instance with an encrypted cloud disk

Encrypted with the disk's key

Encrypted with the disk's key

No

(Selected Copy when copying the image)

Cross-region copy of an unencrypted image

(Standard copy is only supported for cross-region copies)

Not encrypted

Encrypted with the default key configured in the destination region

Cross-region copy of an encrypted image

(Standard copy is only supported for cross-region copies)

Not applicable

(Encrypted images only support encrypted copy)

Not applicable

(Encrypted images only support encrypted copy)

Cross-region copy of a shared unencrypted image

Not encrypted

Encrypted with the default key configured in the destination region

Cross-region copy of a shared encrypted image

Not applicable

(Encrypted images only support encrypted copy)

Not applicable

(Encrypted snapshots support only encrypted replication.)

Yes

(Selected Copy and Encrypt when copying the image)

Encrypted copy of an image (any type) in the same region

Encrypted with the service key of the current region

Encrypted with the specified key

Encrypted with the configured default key

Encrypted with the specified key

Encrypted copy of an image (any type) to another region

Encrypted with the service key of the destination region

Encrypted with the default key configured in the destination region

References

Use the API to manage default encryption: