All Products
Search

This Product

    Elastic Compute Service:Encrypt a system disk

    Document Center

    Elastic Compute Service:Encrypt a system disk

    Last Updated:Apr 17, 2024

    You can encrypt the system disk when you create an Elastic Compute Service (ECS) instance or copy a custom image. All data on an encrypted system disk is encrypted, leading to higher data security.

    Encryption methods

    You can use one of the following methods to encrypt a system disk:

    • Method 1: Encrypt the system disk when you create an ECS instance

    • Method 2: Copy a custom image to create an encrypted system disk

      When you copy a custom image, you can select Copy and Encrypt to encrypt the custom image, and then use the encrypted custom image to create an ECS instance. This way, the system disk and data disks are encrypted disks by default. The following figure shows how to create an encrypted system disk based on a copied custom image that is encrypted in the copy process.加密

      The encryption status of the system disk created using this method is determined by whether encryption is enabled when you copy the custom image and whether the system disk is encrypted when you create the ECS instance using the custom image. The following table provides details.

      Enable encryption when you copy the custom image

      Encrypt the system disk when you create an ECS instance using the custom image

      Whether the system disk of the ECS instance is encrypted and which key is used for the encryption

      No

      No

      Unencrypted

      No

      Yes, and key A is used for the encryption.

      For more information, see the Encrypt the system disk when you create an ECS instance section of this topic.

      Encrypted and key A is used for the encryption.

      Yes, and key B is used for the encryption.

      For more information, see the Copy a custom image to create an encrypted system disk section of this topic.

      No

      Encrypted and key B is used for the encryption.

      Yes, and key B is used for the encryption.

      For more information, see the Copy a custom image to create an encrypted system disk section of this topic.

      Yes, and key A is used for the encryption.

      For more information, see the Encrypt the system disk when you create an ECS instance section of this topic.

      Encrypted and key A is used for the encryption.

    Prerequisites

    A Key Management Service (KMS) instance is created and enabled. For more information, see Purchase and enable a KMS instance.

    Encrypt the system disk of an instance when you create an instance

    You can select Encryption and select a key in the Storage section to encrypt the system disk of an instance when you create the instance. This section describes only how to configure the disk encryption settings when you create an instance. For information about other configurations of the instance, see Create an instance on the Custom Launch tab.

    Limitations

    Item

    Description

    Instance family

    The instance family of the instance cannot be ecs.ebmg5, ecs.ebmgn5t, ecs.ebmi3, ecs.sccg5, ecs.scch5, ecs.ebmc4, or ecs.ebmhfg5. For more information, see Overview of instance families.

    Disk category

    Only Enhanced SSDs (ESSDs), ESSD AutoPL disks, and ESSD Entry disks are supported.

    Procedure

    1. Log on to the ECS console.

    2. In the left-side navigation pane, choose Instances & Images > Instances.

    3. In the top navigation bar, select the region and resource group to which the resource belongs. 地域

    4. On the Instances page, click Create Instance.

    5. In the Storage section, encrypt the system disk.

      1. Select Enhanced SSD (ESSD) and specify a capacity for the system disk in the Storage section.

      2. Select Encryption and select a key from the drop-down list.

        image.png

        You can select Default Service CMK or select a custom customer master key (CMK) that has been created in KMS.

        Note

        • In the drop-down list, you can click Go to Authorize and follow on-screen instructions to attach the AliyunECSDiskEncryptDefaultRole role to allow ECS to access your KMS resources. For more information, see Use instance RAM roles to control access to resources.

        • Custom CMKs cannot be selected as encryption keys in the China (Nanjing - Local Region), China (Fuzhou-Local Region), Thailand (Bangkok), or South Korea (Seoul) region.

    Copy a custom image to create encrypted system disks

    When you copy custom images in a region or across regions, you can encrypt the image. Later when you create an ECS instance using the encrypted custom image, the system disk and data disks of the instance will be encrypted disks. The encryption can be performed when you copy the image in the ECS console or through calling the CopyImage operation.

    Use the ECS console

    This section describes how to copy an existing custom image and encrypt the image copy in the ECS console. Then, you can create an encrypted system disk from the encrypted image copy. If no custom images are available, create a custom image. For more information, see Create a custom image from a snapshot or Create a custom image from an instance.

    1. Log on to the ECS console.

    2. In the left-side navigation pane, choose Instances & Images > Images.

    3. In the upper-left corner of the top navigation bar, select the region in which the instance resides.

    4. On the Images page, click the Custom Images tab.

    5. Find the custom image that you want to copy and click Copy Image in the Actions column.

    6. In the Copy Image dialog box, set Copy Mode to Copy and Encrypt, select a destination region, and then select an encryption key.

      Note

      This step describes only how to configure the encryption settings when you copy a custom image. For information about other configurations, see Copy a custom image.

      复制镜像

      You can select Default Service CMK or select a custom customer master key (CMK) that has been created in KMS.

      Note

      In the drop-down list, you can click Go to Authorize and follow on-screen instructions to attach the AliyunECSDiskEncryptDefaultRole role to allow ECS to access your KMS resources. For more information, see Use instance RAM roles to control access to resources.

    7. Click Confirm.

    Call an API operation

    You can encrypt a custom image when you call the CopyImage operation to copy it.

    In this example, Alibaba Cloud CLI is used to call the CopyImage operation, and the KMSKeyId parameter is configured for later encryption of the system disk. 

    aliyun ecs CopyImage --RegionId cn-hongkong \
--ImageId m-bp155shrycg3s0****** --DestinationRegionId cn-shenzhen \
--Encrypted true --KMSKeyId e522b26d-abf6-4e0d-b5da-04b7******3c \
--Tag.N.Key EcsDocumentation

    References

    • When you create an ECS instance using an encrypted custom image, the system disk and data disks of the instance will be encrypted disks. For information about how to create an instance from a custom image, see Create an ECS instance by using a custom image.

    • You can also use an encrypted custom disk to change the system disk of your ECS instance. The new system disk will be an encrypted disk by default. For more information, see Replace the operating system of an instance.