This topic describes how to encrypt a data disk. After a data disk is encrypted, both data in transit and data at rest on the disk are encrypted. You can follow the instructions described in this topic to encrypt data disks to meet security and compliance requirements.

Background information

You can use one of the following methods to encrypt data disks:

When you encrypt data disks, you must use keys in Key Management Service (KMS). For more information, see Encryption overview.

Requirements

If you select Create from Snapshot to create a data disk, you can select Disk Encryption to encrypt the disk only when the following requirements described in the following table are met.
ItemRequirement
Instance familyThe instance family of the associated instance is not ecs.ebmg5, ecs.ebmgn5t, ecs.ebmi3, ecs.sccg5, ecs.scch5, ecs.ebmc4, or ecs.ebmhfg5. For more information, see Overview of instance families.
ImageThe associated instance uses a public or custom image, instead of a shared image or an Alibaba Cloud Marketplace image.
Disk categoryThe disk is an enhanced SSD (ESSD).

Encrypt a data disk when you create an ECS instance

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select a region.
  4. On the Instances page, click Create Instance.
  5. In the Basic Configurations step, find the Storage section and perform the following steps:
    1. Click Add Disk.
    2. Specify the category and capacity of the disk.
      Note This step describes only how to configure the disk encryption settings when you create an instance. For information about other configurations of the instance, see Create an instance by using the wizard.
    3. Select Disk Encryption and select a key from the drop-down list.
      Encrypt a data disk when you create an ECS instance
      By default, Alibaba Cloud uses the Default Service CMK as the encryption key when you select Disk Encryption for a disk. You can also specify a CMK that you created in KMS as the encryption key of the disk. We recommend that you use a custom CMK as the encryption key. For information about how to create a CMK, see Create a CMK.
      Note Currently, custom CMKs cannot be selected as encryption keys in the China (Nanjing - Local Region), China (Fuzhou-Local Region), Thailand (Bangkok), or South Korea (Seoul) region.
      After the disk is encrypted, a tag is automatically added to the KMS key that is used to encrypt the disk. The key of the tag is acs:ecs:disk-encryption, and the value of the tag is true. You can log on to the KMS console and click the ID of the KMS key to view its tag.

Encrypt a data disk when you create the disk

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Storage & Snapshots > Disks.
  3. In the top navigation bar, select a region.
  4. On the Disks page, click Create Disk.
  5. In the Storage section, specify the category and capacity of the disk.
    Note This step describes only how to configure the encryption settings when you create a disk. For information about other configurations of the disk, see Create a disk.
  6. Select Disk Encryption and select a key from the drop-down list.
    Create a pay-as-you-go data disk
    By default, Alibaba Cloud uses the Default Service CMK as the encryption key when you select Disk Encryption for a disk. You can also specify a CMK that you created in KMS as the encryption key of the disk. We recommend that you use a custom CMK as the encryption key. For information about how to create a CMK, see Create a CMK.
    Note Currently, custom CMKs cannot be selected as encryption keys in the China (Nanjing - Local Region), China (Fuzhou-Local Region), Thailand (Bangkok), or South Korea (Seoul) region.
    After the disk is encrypted, a tag is automatically added to the KMS key that is used to encrypt the disk. The key of the tag is acs:ecs:disk-encryption, and the value of the tag is true. You can log on to the KMS console and click the ID of the KMS key to view its tag.