This topic describes how to encrypt a data disk. After a data disk is encrypted, both data in transit and data at rest on the disk are encrypted. You can follow the instructions described in this topic to encrypt data disks to meet security compliance requirements.

Background information

You can use one of the following methods to encrypt data disks:
  • Create an Elastic Compute Service (ECS) instance from an encrypted custom image that contains data of data disks. The data disks of the instance that were created from the custom image are encrypted. For more information, see Encrypt a system disk.
  • When you create an instance, click Add Disk to add data disks and select Disk Encryption and a key for each added data disk. For more information, see Encrypt a data disk when you create an ECS instance.
  • When you create an independent disk, select Disk Encryption and a key for each disk. For more information, see Encrypt a data disk when you create the disk.

When you encrypt data disks, you must use the keys in Key Management Service (KMS). For more information, see Encryption overview.

Encrypt a data disk when you create an ECS instance

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select a region.
  4. On the Instances page, click Create Instance.
  5. In the Basic Configurations step, find the Storage section and perform the following steps.
    Note This step describes only how to configure the encryption settings when you create an instance. For information about other configurations of the instance, see Create an instance by using the wizard.
    1. Click Add Disk.
    2. Specify the category and capacity of the data disk.
    3. Select Disk Encryption and select a key from the drop-down list.
      Encrypt a data disk when you create an ECS instance
      After the data disk is encrypted, a tag is automatically added to the specified KMS key used to encrypt the data disk. The key of the tag is acs:ecs:disk-encryption, and the value of the tag is true. You can log on to the KMS console and click the key ID to view the tag of the key.

Encrypt a data disk when you create the disk

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Storage & Snapshots > Disks.
  3. In the top navigation bar, select a region.
  4. In the upper-right corner of the Disks page, click Create Disk.
  5. Specify the category and capacity of the data disk.
    Note This step describes only how to configure the encryption settings when you create a disk. For information about other configurations of the disk, see Create a disk.
  6. In the Storage section, select Disk Encryption and select a key from the drop-down list.
    Create a pay-as-you-go data disk
    After the data disk is encrypted, a tag is automatically added to the specified KMS key used to encrypt the data disk. The key of the tag is acs:ecs:disk-encryption, and the value of the tag is true. You can log on to the KMS console and click the key ID to view the tag of the key.

Change the encryption state

After a data disk of an instance is created, you cannot change its encryption state. If you want to change the encryption state of its data, perform the procedures described in the following table.
State change Procedure Windows Server Linux
From unencrypted to encrypted
  1. Log on to the operating system of the instance. For more information, see Connection methods.
  2. Manually copy data from an unencrypted disk to a new encrypted disk.
In Command Prompt, run the robocopy command. Run the rsync shell command.
From encrypted to unencrypted
  1. Log on to the operating system of the instance. For more information, see Connection methods.
  2. Manually copy data from an encrypted disk to a new unencrypted disk.