All Products
Search
Document Center

Elastic Compute Service:Use encrypted disks

Last Updated:Jun 24, 2026

Enable disk encryption for compliance, and use a customer master key (CMK) to control encryption algorithms, key rotation, and key lifecycle.

Security risks

Unencrypted disk data, such as trade secrets, personal information, or financial records, is stored as plaintext. In extreme cases, sensitive data can be directly exposed if physical devices are stolen, an O&M engineer makes a mistake or acts maliciously, or a hacker exploits a hypervisor vulnerability.

Disk encryption ensures data integrity by preventing tampering during storage. Even if a disk is attacked at the physical or hypervisor layer, the data remains unreadable.

Best practices

When you create an instance or a data disk, encrypt the disk with a service key or a customer master key (CMK):

  • Service key: Alibaba Cloud KMS provides a free default key for server-side encryption. No KMS instance purchase required. Provides basic data encryption.

  • Customer master key: To control the key lifecycle, including generation, storage, rotation, and destruction, independently of the cloud service provider, purchase a KMS instance.

Console

  • When you create an instance, select Encrypt and choose a key in the System Disk and Data Disk settings.

  • When you create a data disk, in the Disks section, select Encrypt and choose a key.

API

  • When you call RunInstances or CreateInstance, set Encrypted to enable disk encryption and KMSKeyId to specify the encryption key.

  • When you call CreateDisk, set Encrypted to enable disk encryption and KMSKeyId to specify the encryption key.

Compliance

Find unencrypted disks

ECS Insight

  1. Go to ECS Insight.

  2. On the Security tab, click Use Disk Encryption to Improve Data Security to view unencrypted disks.

Security Center

  1. Go to the Security Center console.

  2. In the left-side navigation pane, choose Risk Governance > CSPM, and then select the Cloud Service Configuration Risk tab. Find the checks named Ensure attached disks are encrypted and Unattached disks are encrypted, and in the Actions column, click Scan.

    If the status is Failed, unencrypted disks exist. Click Details to view them.

Policy 1: Block unencrypted disk creation

Use a RAM policy to deny creating instances and disks without encryption at the organization or account level.

You can enable account-level default encryption for Elastic Block Storage by region. After enabled, all new disks, copied snapshots, and copied images in the specified region are encrypted by default.
  • For enterprise users:

    1. Log on to the Resource Directory console. In the left navigation pane, click Control Policies. Create a custom policy with the following JSON content.

      {
        "Version": "1",
        "Statement": [
          {
            "Action": [
              "ecs:RunInstances",
              "ecs:CreateInstance"
            ],
            "Resource": "*",
            "Condition": {
              "StringLike": {
                "ecs:IsDiskEncrypted": "*false*"
              }
            },
            "Effect": "Deny"
          },
          {
            "Action": [
              "ecs:RunInstances",
              "ecs:CreateInstance"
            ],
            "Resource": "*",
            "Condition": {
              "StringEquals": {
                "ecs:IsSystemDiskEncrypted": "false"
              }
            },
            "Effect": "Deny"
          },
          {
            "Action": "ecs:CreateDisk",
            "Resource": "*",
            "Condition": {
              "StringLike": {
                "ecs:IsDiskEncrypted": "*false*"
              }
            },
            "Effect": "Deny"
          }
        ]
      }
    2. In Resource Directory, select an appropriate node and attach the policy. The policy blocks the specified actions for all accounts in the directory.

  • For individual users:

    1. Log on to the RAM console. In the left navigation pane, click Permission Policy and create a custom policy with the content shown above.

    2. Grant the policy to a RAM user, user group, or role. See Grant permissions using a policy.

Policy 2: Block disks without CMK encryption

Use a RAM policy to deny creating instances and disks without CMK encryption at the organization or account level.

  • For enterprise users:

    1. Log on to the Resource Directory console. In the left navigation pane, click Control Policies. Create a custom policy with the following JSON content.

      {
        "Version": "1",
        "Statement": [
          {
            "Action": [
              "ecs:RunInstances",
              "ecs:CreateInstance"
            ],
            "Resource": "*",
            "Condition": {
              "StringLike": {
                "ecs:IsDiskByokEncrypted": "*false*"
              }
            },
            "Effect": "Deny"
          },
          {
            "Action": [
              "ecs:RunInstances",
              "ecs:CreateInstance"
            ],
            "Resource": "*",
            "Condition": {
              "StringEquals": {
                "ecs:IsSystemDiskByokEncrypted": "false"
              }
            },
            "Effect": "Deny"
          },
          {
            "Action": "ecs:CreateDisk",
            "Resource": "*",
            "Condition": {
              "StringLike": {
                "ecs:IsDiskByokEncrypted": "*false*"
              }
            },
            "Effect": "Deny"
          }
        ]
      }
    2. In Resource Directory, select an appropriate node and attach the policy. The policy blocks the specified actions for all accounts in the directory.

  • For individual users:

    1. Log on to the RAM console. In the left navigation pane, click Permission Policy and create a custom policy with the content shown above.

    2. Grant the policy to a RAM user, user group, or role. See Grant permissions using a policy.

Encrypt existing disks

This template supports only ESSD series disks (ESSD PL0, PL1, PL2, PL3, ESSD Entry, ESSD AutoPL, and ESSD zone-redundant storage). Subscription disks purchased at a discount cannot be encrypted with this template. Additional fees apply.

To bulk-encrypt disks with CloudOps Orchestration Service (OOS), see ACS-ECS-BulkyEncryptDisks.