All Products
Search

This Product

    Elastic Compute Service:Use encrypted disks

    Document Center

    Elastic Compute Service:Use encrypted disks

    Last Updated:Dec 31, 2025

    If your company has classified protection compliance requirements, enable disk encryption when you create disks. To customize key encryption algorithms, key rotation policies, or to manage your own keys, use a customer master key (CMK) for encryption.

    Security risks

    Data stored on disks, such as trade secrets, personal information, or financial records, is stored as plaintext if it is not encrypted. In extreme cases, sensitive data can be directly exposed. This can happen if physical devices are stolen from a data center, an operations and maintenance (O&M) engineer makes a mistake or acts maliciously, or a hacker exploits a hypervisor vulnerability.

    Disk encryption helps ensure data integrity by preventing data from being tampered with during storage. Even if a disk is attacked at the physical or hypervisor layer, the data remains unreadable. This protects user privacy.

    Best practices

    When you create an instance or a data disk, you can encrypt the disk using a service key or a customer master key (CMK):

    • Service key: Alibaba Cloud KMS provides a default key free of charge for server-side encryption of cloud products. You do not need to purchase a KMS instance. This key provides basic data encryption.

    • Customer master key: To control the key lifecycle, including generation, storage, rotation, and destruction, independently of the cloud service provider, you can purchase a KMS key instance. This lets you meet various business and security requirements. For more information, see Purchase and enable a KMS instance.

    Console

    • When you create an instance, select the Encryption checkbox and choose a key from the drop-down list in the System Disk and Data Disk settings.

    • When you create a data disk, in the Data Disk section, select the Encryption checkbox and select a key from the drop-down list.

    API

    • When you call the RunInstances or CreateInstance operation to create an instance, use the Encrypted parameter to specify whether to encrypt the disk and the KMSKeyId parameter to specify the encryption key.

    • When you call the CreateDisk operation to create a disk, use the Encrypted parameter to specify whether to encrypt the disk and the KMSKeyId parameter to specify the encryption key.

    Compliance

    Check: Find disks that are not encrypted

    ECS Insight

    1. Go to ECS Insight.

    2. Select the Security tab. Click the Use of Disk Encryption item to view unencrypted disks.

    Security Center

    1. Go to the Security Center console.

    2. In the navigation pane on the left, choose Risk Governance > CSPM. Select the Cloud Service Configuration Risk tab. Find the checks named Ensure attached disks are encrypted and Unattached disks are encrypted. In the Actions column, click the Scan button.

      If the status is Failed, there are unencrypted disks. Click Details to view them.

    Block 1: Prohibit the creation of unencrypted disks

    At the organization or account level, you can use a Resource Access Management (RAM) policy to block the creation of instances and disks if encryption is not enabled.

    Alibaba Cloud lets you enable account-level default encryption for Elastic Block Storage by region. After you enable this feature, all new disks, copied snapshots, and copied images in the specified region are encrypted by default. You do not need to specify encryption parameters separately.

    • For enterprise users:

      1. Log on to the Resource Directory console with your Alibaba Cloud account. In the navigation pane on the left, click Control Policies. Then, create a custom policy and paste the following JSON content.

        {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:RunInstances",
        "ecs:CreateInstance"
      ],
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "ecs:IsDiskEncrypted": "*false*"
        }
      },
      "Effect": "Deny"
    },
    {
      "Action": [
        "ecs:RunInstances",
        "ecs:CreateInstance"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ecs:IsSystemDiskEncrypted": "false"
        }
      },
      "Effect": "Deny"
    },
    {
      "Action": "ecs:CreateDisk",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "ecs:IsDiskEncrypted": "*false*"
        }
      },
      "Effect": "Deny"
    }
  ]
}

      2. In Resource Directory, select an appropriate node and attach the policy. The policy will block the specified actions for all accounts in the directory.

    • For individual users:

      1. Log on to the RAM console with your Alibaba Cloud account. In the navigation pane on the left, click Policies and create a custom policy that contains the content shown above.

      2. Grant the policy to a RAM user, RAM user group, or RAM role. For more information, see Grant permissions using a policy.

    Block 2: Prohibit the creation of disks that are not encrypted with a CMK

    At the organization or account level, you can use a RAM policy to block the creation of instances and disks that are not encrypted with a CMK.

    • For enterprise users:

      1. Log on to the Resource Directory console with your Alibaba Cloud account. In the navigation pane on the left, click Control Policies. Then, create a custom policy and paste the following JSON content.

        {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:RunInstances",
        "ecs:CreateInstance"
      ],
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "ecs:IsDiskByokEncrypted": "*false*"
        }
      },
      "Effect": "Deny"
    },
    {
      "Action": [
        "ecs:RunInstances",
        "ecs:CreateInstance"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ecs:IsSystemDiskByokEncrypted": "false"
        }
      },
      "Effect": "Deny"
    },
    {
      "Action": "ecs:CreateDisk",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "ecs:IsDiskByokEncrypted": "*false*"
        }
      },
      "Effect": "Deny"
    }
  ]
}

      2. In Resource Directory, select an appropriate node and attach the policy. The policy will block the specified actions for all accounts in the directory.

    • For individual users:

      1. Use your Alibaba Cloud account to log on to the RAM console. In the navigation pane on the left, click Policies to create a custom policy that uses the content from the preceding example.

      2. Grant the policy to a RAM user, RAM user group, or RAM role. For more information, see Grant permissions using a policy.

    Remediate: Fix the risk of unencrypted existing disks

    Before you use this template, check your disk type. This template supports the encryption of only ESSD series disks, such as ESSD PL0, PL1, PL2, and PL3, ESSD Entry, ESSD AutoPL, and ESSD zone-redundant storage. Subscription disks purchased at a discount cannot be encrypted using this template. Additional fees apply.

    To perform bulk encryption on disks using CloudOps Orchestration Service (OOS), see ACS-ECS-BulkyEncryptDisks.