All Products
Search

This Product

    Elastic Compute Service:Applications of ECS data encryption

    Document Center

    Elastic Compute Service:Applications of ECS data encryption

    Last Updated:Dec 01, 2025

    Data encryption helps you meet data security and regulatory compliance requirements. You can encrypt system disks, data disks, and images to protect your data on ECS. You can then create ECS instances from these encrypted resources to ensure data privacy and security. This topic describes the conditions and procedures for encrypting disks, snapshots, and images.

    Prerequisites

    A Key Management Service (KMS) instance is created and enabled. For more information, see Purchase and enable a KMS instance.

    Background information

    By default, the ECS disk encryption feature uses a service key to encrypt user data. You can also use a customer master key (CMK). The disk encryption mechanism uses envelope encryption. Each disk has a corresponding CMK and a data key (DK) to encrypt its data. For more information, see Encrypted disks.

    Notes

    When you use keys for encryption, note the following:

    Key type

    Notes

    Service key

    The service key is unique for each user in each region. Deleting or disabling the key is not supported.

    Bring-Your-Own-Key (BYOK)

    • The first time you select a different customer master key to encrypt a disk in the ECS console, click Go To Authorize. Follow the instructions on the page to grant the AliyunECSDiskEncryptDefaultRole role to ECS. This allows ECS to access your KMS resources.

    • When you create a key in the KMS console, select the Aliyun_AES_256 or Aliyun_SM4 key type. ECS does not support other key types for creating encrypted disks.

    • Before you delete or disable a BYOK key, confirm that you have uninstalled or replaced the associated disks. This prevents data loss and instance startup failures. To query information about disks associated with a key, see the DescribeDisks API.

      A BYOK key cannot be recovered after it is deleted. The content and data keys encrypted with the key cannot be decrypted. Before the key becomes invalid, disable the key or check whether the key is associated with any cloud resources. This prevents data from becoming unrecoverable if the key is lost.

      Warning

      You can delete or disable a BYOK key that you created. If the key becomes invalid, data on the associated encrypted disks, encrypted images, and encrypted snapshots cannot be recovered.

      Disclaimer: You are responsible for any data loss that occurs if you make a key invalid and the data on associated cloud resources becomes unrecoverable.

    Encrypt a system disk

    A system disk contains an operating system and can be created only when you create an ECS instance. Its lifecycle is the same as the ECS instance to which it is attached. You can encrypt the system disk when you create the instance.

    Conditions

    Limitations

    Description

    Instance family

    Excludes ecs.ebmg5, ecs.ebmgn5t, ecs.ebmi3, ecs.sccg5, ecs.scch5, ecs.ebmc4, and ecs.ebmhfg5. For more information, see Instance families.

    Disk category

    Only ESSD series disks can be encrypted (ESSD PL0/PL1/PL2/PL3, ESSD Entry, ESSD AutoPL, and ESSD with zone-redundant storage).

    Procedure

    For more information about how to encrypt a system disk, see Create an encrypted disk.

    Encrypt a data disk

    When you encrypt a data disk, the static data on the disk is encrypted. You can encrypt a data disk when you create an instance or when you create a standalone disk.

    Conditions

    When you create a data disk by selecting Create from Snapshot, you must meet the following conditions to select the Encryption option.

    Limitations

    Description

    Instance family

    Excludes ecs.ebmg5, ecs.ebmgn5t, ecs.ebmi3, ecs.sccg5, ecs.scch5, ecs.ebmc4, and ecs.ebmhfg5. For more information, see Instance families.

    Disk category

    Only ESSD series disks can be encrypted (ESSD PL0/PL1/PL2/PL3, ESSD Entry, ESSD AutoPL, and ESSD with zone-redundant storage).

    Procedure

    For more information about how to encrypt a data disk, see Create an encrypted disk.

    Encrypt a snapshot

    If a disk is encrypted, snapshots created from it are also encrypted.

    Procedure

    For more information about how to create a snapshot, see Create a snapshot.

    Copy an encrypted image

    You can copy an image to deploy ECS instances across regions. You can also copy an image to change its encryption status within the same region or across regions. After you copy and encrypt an image, you can use the encrypted copy to quickly create ECS instances that have the same environment.

    Conditions

    Limitations

    Description

    Region restrictions

    If you use an Alibaba Cloud account, you can copy an image to multiple regions. You can select up to five destination regions.

    Image type

    Encrypted image or unencrypted image.

    Procedure

    For more information about how to copy an encrypted image, see Copy a custom image.

    Share an encrypted image

    You can share an image to deploy ECS instances across different Alibaba Cloud accounts. If a custom image is created from an ECS instance that has an encrypted disk attached, the image is also encrypted. You can share this encrypted custom image with other Alibaba Cloud accounts. The recipients can then use your shared image to quickly create ECS instances that have the same environment.

    Conditions

    Sharing encrypted images is supported only in the following regions:

    • China (Beijing)

    • China (Shanghai)

    • China (Hong Kong)

    • Singapore

    • Philippines (Manila)

    • Indonesia (Jakarta)

    For more information about the conditions for sharing images, see Applicable scope of sharing custom images.

    Procedure

    For more information about how to share an encrypted custom image, see Share a custom image.