You can encrypt the system disk when you create an Elastic Compute Service (ECS) instance or copy a custom image. All data on an encrypted system disk is encrypted, leading to higher data security.
Encryption methods
You can use one of the following methods to encrypt a system disk:
Method 1: Encrypt the system disk when you create an ECS instance
Method 2: Copy a custom image to create an encrypted system disk
When you copy a custom image, you can select Copy and Encrypt to encrypt the custom image, and then use the encrypted custom image to create an ECS instance. This way, the system disk and data disks are encrypted disks by default. The following figure shows how to create an encrypted system disk based on a copied custom image that is encrypted in the copy process.
The encryption status of the system disk created using this method is determined by whether encryption is enabled when you copy the custom image and whether the system disk is encrypted when you create the ECS instance using the custom image. The following table provides details.
Enable encryption when you copy the custom image
Encrypt the system disk when you create an ECS instance using the custom image
Whether the system disk of the ECS instance is encrypted and which key is used for the encryption
No
No
Unencrypted
No
Yes, and key A is used for the encryption.
For more information, see the Encrypt the system disk when you create an ECS instance section of this topic.
Encrypted and key A is used for the encryption.
Yes, and key B is used for the encryption.
For more information, see the Copy a custom image to create an encrypted system disk section of this topic.
No
Encrypted and key B is used for the encryption.
Yes, and key B is used for the encryption.
For more information, see the Copy a custom image to create an encrypted system disk section of this topic.
Yes, and key A is used for the encryption.
For more information, see the Encrypt the system disk when you create an ECS instance section of this topic.
Encrypted and key A is used for the encryption.
Prerequisites
A Key Management Service (KMS) instance is created and enabled. For more information, see Purchase and enable a KMS instance.
Encrypt the system disk of an instance when you create an instance
You can select Encryption and select a key in the Storage section to encrypt the system disk of an instance when you create the instance. This section describes only how to configure the disk encryption settings when you create an instance. For information about other configurations of the instance, see Create an instance on the Custom Launch tab.
Limitations
Item | Description |
Instance family | The instance family of the instance cannot be ecs.ebmg5, ecs.ebmgn5t, ecs.ebmi3, ecs.sccg5, ecs.scch5, ecs.ebmc4, or ecs.ebmhfg5. For more information, see Overview of instance families. |
Disk category | Only Enhanced SSDs (ESSDs), ESSD AutoPL disks, and ESSD Entry disks are supported. |
Procedure
Log on to the ECS console.
In the left-side navigation pane, choose .
In the top navigation bar, select the region and resource group to which the resource belongs.
On the Instances page, click Create Instance.
In the Storage section, encrypt the system disk.
Select Enhanced SSD (ESSD) and specify a capacity for the system disk in the Storage section.
Select Encryption and select a key from the drop-down list.
You can select Default Service CMK or select a custom customer master key (CMK) that has been created in KMS.
NoteIn the drop-down list, you can click Go to Authorize and follow on-screen instructions to attach the
AliyunECSDiskEncryptDefaultRole
role to allow ECS to access your KMS resources. For more information, see Use instance RAM roles to control access to resources.Custom CMKs cannot be selected as encryption keys in the China (Nanjing - Local Region), China (Fuzhou-Local Region), Thailand (Bangkok), or South Korea (Seoul) region.
Copy a custom image to create encrypted system disks
When you copy custom images in a region or across regions, you can encrypt the image. Later when you create an ECS instance using the encrypted custom image, the system disk and data disks of the instance will be encrypted disks. The encryption can be performed when you copy the image in the ECS console or through calling the CopyImage operation.
Use the ECS console
This section describes how to copy an existing custom image and encrypt the image copy in the ECS console. Then, you can create an encrypted system disk from the encrypted image copy. If no custom images are available, create a custom image. For more information, see Create a custom image from a snapshot or Create a custom image from an instance.
Log on to the ECS console.
In the left-side navigation pane, choose
.In the upper-left corner of the top navigation bar, select the region in which the instance resides.
On the Images page, click the Custom Images tab.
Find the custom image that you want to copy and click Copy Image in the Actions column.
In the Copy Image dialog box, set Copy Mode to Copy and Encrypt, select a destination region, and then select an encryption key.
NoteThis step describes only how to configure the encryption settings when you copy a custom image. For information about other configurations, see Copy a custom image.
You can select Default Service CMK or select a custom customer master key (CMK) that has been created in KMS.
NoteIn the drop-down list, you can click Go to Authorize and follow on-screen instructions to attach the
AliyunECSDiskEncryptDefaultRole
role to allow ECS to access your KMS resources. For more information, see Use instance RAM roles to control access to resources.Click Confirm.
Call an API operation
You can encrypt a custom image when you call the CopyImage operation to copy it.
In this example, Alibaba Cloud CLI is used to call the CopyImage operation, and the KMSKeyId parameter is configured for later encryption of the system disk.
aliyun ecs CopyImage --RegionId cn-hongkong \
--ImageId m-bp155shrycg3s0****** --DestinationRegionId cn-shenzhen \
--Encrypted true --KMSKeyId e522b26d-abf6-4e0d-b5da-04b7******3c \
--Tag.N.Key EcsDocumentation
References
When you create an ECS instance using an encrypted custom image, the system disk and data disks of the instance will be encrypted disks. For information about how to create an instance from a custom image, see Create an ECS instance by using a custom image.
You can also use an encrypted custom disk to change the system disk of your ECS instance. The new system disk will be an encrypted disk by default. For more information, see Replace the operating system of an instance.