Encrypt ECS disks with Key Management Service (KMS) to protect data at rest against threats such as physical theft and unauthorized access.
How it works
Encrypted disks use a two-tier key system:
Data key: Encrypts and decrypts data on a disk.
KMS key: Stored in KMS. Encrypts and decrypts the data key.
When you create an encrypted disk, ECS stores a KMS-encrypted data key with the disk. At instance startup, ECS requests KMS to decrypt the data key and loads the plaintext key into memory for data encryption and decryption.
Create an encrypted disk
-
Create an encrypted disk.
ImportantEncryption is irreversible. An encrypted disk cannot be converted back to an unencrypted state.
Console
You can create an encrypted disk in the following scenarios:
Create a disk from an unshared encrypted snapshot: The disk uses the same key as the snapshot by default. You can select a different KMS key.
Create a disk from a shared encrypted snapshot: The disk uses a service key by default. You can select a different KMS key.
Create a disk in a region where account-level default encryption for Elastic Block Storage is enabled: The disk uses the specified account-level key by default. You can select a different KMS key.
Other scenarios: Select the Encryption checkbox and select a KMS key. A service key is used by default.
KMS provides two types of keys:
Service key: Automatically created and managed by the cloud service. The key alias is
alias/acs/ecs. Service keys require no lifecycle management and meet basic encryption needs.Customer master key (CMK): A key that you create in or import into KMS. CMKs give you full control over the key lifecycle, including rotation, disabling, and deletion.
When you use a CMK for encryption for the first time, follow the on-screen instructions to grant the
AliyunECSDiskEncryptDefaultRolerole to ECS so that it can access KMS resources.API
Encrypt the system disk and data disks when creating an ECS instance.
Call the RunInstances operation and set the
EncryptedandKMSKeyIdparameters.Create a standalone encrypted data disk.
Call the CreateDisk operation and set the
EncryptedandKMSKeyIdparameters.
Perform post-creation steps.
System disk: Ready to use.
Data disk:
Created with an instance:
Windows: Ready to use.
Linux: Initialize the disk before use.
Created separately: Attach the disk to an ECS instance, then initialize the disk.
Convert an unencrypted disk to an encrypted disk
You cannot directly encrypt an existing unencrypted disk. Create an encrypted copy by using an encrypted custom image or snapshot, then replace the OS or attach the new disk.
System disk
Copy the custom image and select encryption to create an encrypted copy.
Create an encrypted system disk by using one of the following methods:
Replace the operating system of the original instance with the encrypted image.
Create a new instance from the encrypted image.
Data disk
Create a snapshot of the data disk.
Attach the newly created encrypted disk to the original ECS instance.
Apply in production
Do not delete or disable keys unnecessarily.
Deleting or disabling a key renders all encrypted resources that use it — cloud disks, snapshots, and images — undecryptable, causing unrecoverable data loss. Before you proceed, check for resources associated with the key.
ImportantYou are responsible for any data loss caused by disabling or deleting a key.
Restrict RAM users to create only encrypted disks.
To prevent data breaches from unencrypted disks, configure a custom policy for Resource Access Management (RAM) users to restrict them to creating only encrypted disks.
Prevent RAM users from managing keys.
To prevent accidental key deletion or disabling, grant RAM users read-only KMS permissions by attaching the AliyunKMSReadOnlyAccess policy.
Encrypt existing system disks in bulk
Use the OOS public template ACS-ECS-BulkyEncryptSystemDisk to encrypt system disks of multiple ECS instances by replacing their operating systems.
Billing
Disk fees: Encrypted and unencrypted disks share the same billing rules. Encryption incurs no additional fees. See Block Storage billing.
Key fees: Key usage is free of charge.
Limitations
Instance types
Encrypted system disks and encrypted data disks created from snapshots cannot be attached to the following instance types: ecs.ebmg5, ecs.ebmgn5t, ecs.ebmi3, ecs.sccg5, ecs.scch5, ecs.ebmc4, and ecs.ebmhfg5.
Disk types
Only ESSD-series disks support encryption: enterprise SSDs (ESSDs), ESSD Entry disks, ESSD AutoPL disks, and regional ESSDs.
Regions
Regions where you cannot create encrypted disks: China (Nanjing - Local Region - Closing Down), South Korea (Seoul).
Regions where you cannot use CMKs: China (Fuzhou - Local Region - Closing Down), Thailand (Bangkok).
FAQ
How can I verify that data is encrypted at rest?
This method verifies encryption by disabling the key, which causes read/write errors on the system disk. Purchase a test instance for this test.
When you purchase a test instance, create a system disk that is encrypted with a CMK.
-
Disable the CMK.
Log on to the Key Management Service console. In the top navigation bar, select a region. In the left-side navigation pane, choose .
On the Customer Master Keys or Default Keys tab, find the target key and click Disable in the Actions column.
In the Disable Key dialog box, confirm the action and click Confirm.
ImportantBefore you disable a CMK, check for associated cloud resources to avoid service disruptions.
Verify the encryption.
Connect to the ECS instance and run
sudo reboot. Because the KMS key is disabled, the system cannot decrypt data, causing an I/O hang. If you connect via VNC, a black screen confirms that data is encrypted at rest.Enable the CMK and release the test instance.