Enable per-region EBS default encryption to auto-encrypt all new disks, copied snapshots, and images for unified security compliance.
Limitations
Account-level default encryption has the following limitations:
-
Available only to specific users. To request access, submit a ticket.
-
To configure account-level default encryption, grant the AliyunECSFullAccess permission to a RAM user. See Manage RAM user permissions.
-
KMS is activated. See Purchase and enable a KMS instance.
-
After account-level default encryption is enabled:
-
Applies only to new disks. Existing disks are not affected.
-
Unencrypted disks cannot be created, and standard copies of snapshots or images are not supported.
-
Encrypted standard SSDs, ultra disks, or basic disks cannot be created from unencrypted snapshots or images.
-
Set up account-level default encryption for EBS
Enable account-level default encryption for EBS
Configure account-level default encryption per region. Once enabled, all new disks, copied snapshots, and copied images in that region are encrypted by default.
Use the console
-
Log on to the ECS console.
-
On the Overview page, in the Common Features section on the right, click Configure Encryption Settings.
-
Click Add Region, select the region and default encryption key, then click OK.
NoteSelect a service key (alias/acs/ecs) or a custom master key created in KMS. For encryption key details, see Encrypt a disk. For region and permission limits on master keys, see Encrypt a disk.

-
Create an encrypted disk. See Create an empty data disk.
Encrypt is selected by default and cannot be deselected. The disk is encrypted with the configured default key. To use a different key, select one from the drop-down list.
NoteIf you create a disk from a snapshot, only ESSD, ESSD Entry, or ESSD AutoPL disks are supported.

Use the API
Call EnableDiskEncryptionByDefault to enable account-level default encryption for EBS.
Disable account-level default encryption for EBS
Disable account-level default encryption for a region at any time. Individual disks can still be encrypted manually. See Create an encrypted disk.
Use the console
-
Log on to the ECS console.
-
On the Overview page, in the Common Features section on the right, click Configure Encryption Settings.
-
In the row for the target region, click the
icon to disable default encryption.
Use the API
Call DisableDiskEncryptionByDefault to disable default encryption for the target region.
Encryption results
Disks, snapshots, and images can be encrypted in two ways:
-
Specify an encryption key when creating a disk, snapshot, or image.
-
With account-level default encryption enabled, new disks and copied snapshots or images are encrypted with the configured default key. A specified key takes precedence over the default key.
NoteWhen multiple keys apply, the highest-priority key is used: Specified key > Snapshot key (for disks created from snapshots or for copied snapshots) > Configured default key > Service key (alias/acs/ecs).
Disk encryption results
|
Encryption specified |
Disk source |
Account-level default encryption disabled |
Account-level default encryption enabled |
||
|
Default (key not specified) |
Custom (key specified) |
Default (key not specified) |
Custom (key specified) |
||
|
No (Did not select Encrypt when creating the disk) |
New (empty) disk |
Not encrypted |
Not applicable |
Encrypted with the configured default key |
Not applicable |
|
From an unencrypted snapshot/image |
Not encrypted |
Encrypted with the configured default key |
|||
|
From an encrypted snapshot/image |
Encrypted with the snapshot/image key |
Encrypted with the snapshot/image key |
|||
|
From a shared unencrypted snapshot/image |
Not encrypted |
Encrypted with the configured default key |
|||
|
From a shared encrypted snapshot/image (Only snapshots encrypted with a Bring-Your-Own-Key (BYOK) key can be shared, and the key must be changed when sharing) |
Encrypted with the service key |
Encrypted with the configured default key |
|||
|
Yes (Selected Encrypt when creating the disk) |
New (empty) disk |
Encrypted with the service key |
Encrypted with the specified key |
Encrypted with the configured default key |
Encrypted with the specified key |
|
From an unencrypted snapshot/image |
Encrypted with the service key |
Encrypted with the specified key |
Encrypted with the configured default key |
Encrypted with the specified key |
|
|
From an encrypted snapshot/image |
Encrypted with the snapshot's key |
Encrypted with the specified key |
Encrypted with the snapshot's key |
Encrypted with the specified key |
|
|
From a shared unencrypted snapshot/image |
Encrypted with the service key |
Encrypted with the specified key |
Encrypted with the configured default key |
Encrypted with the specified key |
|
|
From a shared encrypted snapshot/image (Only snapshots encrypted with a Bring-Your-Own-Key (BYOK) key can be shared, and the key must be changed when sharing) |
Encrypted with the service key |
Encrypted with the specified key |
Encrypted with the configured default key |
Encrypted with the specified key |
|
Snapshot encryption results
|
Specify Encryption |
Snapshot source |
Account-level default encryption disabled |
Account-level default encryption enabled |
||
|
Default (key not specified) |
Custom (key specified) |
Default (key not specified) |
Custom (key specified) |
||
|
Not applicable (When creating a snapshot) |
Creating an Unencrypted Cloud Disk |
Not encrypted |
Not applicable |
Not encrypted |
Not applicable |
|
Creating an Encrypted Cloud Disk |
Encrypted with the disk's key |
Encrypted with the disk's key |
|||
|
No (Selected Copy when copying the snapshot) |
Cross-region copy of an unencrypted snapshot (Standard copy is only supported for cross-region copies) |
Not encrypted |
Encrypted with the default key configured in the destination region |
||
|
Cross-region copy of an encrypted snapshot (Standard copy is only supported for cross-region copies) |
Not applicable (Encrypted snapshots only support encrypted copy) |
Not applicable (Encrypted snapshots only support encrypted copy) |
|||
|
Cross-region copy of a shared unencrypted snapshot |
Not encrypted |
Encrypted with the default key configured in the destination region |
|||
|
Cross-region copy of a shared encrypted snapshot |
Not applicable (Encrypted snapshots only support encrypted copy) |
Not applicable (Encrypted snapshots only support encrypted copy) |
|||
|
Yes (Selected Copy and Encrypt when copying the snapshot) |
Encrypted copy of a snapshot (any type) in the same region |
Encrypted with the service key of the current region |
Encrypted with the specified key |
Encrypted with the configured default key |
Encrypted with the specified key |
|
Encrypted copy of a snapshot (any type) to another region |
Encrypted with the service key of the destination region |
Encrypted with the default key configured in the destination region |
|||
Image encryption results
|
Encryption specified |
Image Source |
Account-level default encryption disabled |
Account-level default encryption enabled |
||
|
Default (key not specified) |
Custom (key specified) |
Default (key not specified) |
Custom (key specified) |
||
|
Not applicable (When creating an image) |
Created from an ECS instance with unencrypted disks |
Not encrypted |
Not applicable |
Not encrypted |
Not applicable |
|
Creating an ECS instance with an encrypted cloud disk |
Encrypted with the disk's key |
Encrypted with the disk's key |
|||
|
No (Selected Copy when copying the image) |
Cross-region copy of an unencrypted image (Standard copy is only supported for cross-region copies) |
Not encrypted |
Encrypted with the default key configured in the destination region |
||
|
Cross-region copy of an encrypted image (Standard copy is only supported for cross-region copies) |
Not applicable (Encrypted images only support encrypted copy) |
Not applicable (Encrypted images only support encrypted copy) |
|||
|
Cross-region copy of a shared unencrypted image |
Not encrypted |
Encrypted with the default key configured in the destination region |
|||
|
Cross-region copy of a shared encrypted image |
Not applicable (Encrypted images only support encrypted copy) |
Not applicable (Encrypted snapshots support only encrypted replication.) |
|||
|
Yes (Selected Copy and Encrypt when copying the image) |
Encrypted copy of an image (any type) in the same region |
Encrypted with the service key of the current region |
Encrypted with the specified key |
Encrypted with the configured default key |
Encrypted with the specified key |
|
Encrypted copy of an image (any type) to another region |
Encrypted with the service key of the destination region |
Encrypted with the default key configured in the destination region |
|||
References
Use the API to manage default encryption:
-
Modify the default encryption key: ModifyDiskDefaultKMSKeyId or ResetDiskDefaultKMSKeyId
-
Query the default encryption key: DescribeDiskDefaultKMSKeyId
-
Query default encryption status: DescribeDiskEncryptionByDefaultStatus