All Products
Search

This Product

    Elastic Compute Service:Encrypt a data disk

    Document Center

    Elastic Compute Service:Encrypt a data disk

    Last Updated:Apr 17, 2024

    You can encrypt data disks of Elastic Compute Service (ECS) to protect your data, including data that is already stored in disks and data that is being transmitted. It helps you meet the requirements for security and compliance.

    Prerequisites

    A Key Management Service (KMS) instance is purchased and enabled. For more information, see Purchase and enable a KMS instance.

    Procedure

    You can encrypt a data disk when you are creating an ECS instance or a data disk. Existing encrypted data disks cannot be un-encrypted, and un-encrypted data disks cannot be encrypted.

    Encrypt a data disk when you create an ECS instance

    This section describes only how to configure the disk encryption settings when you create an instance. For information about other configurations of the instance, see Create an instance on the Custom Launch tab.

    1. On the Instances page, click Create Instance.

    2. In the Storage section, configure the encrypted data disk.

      1. Click Add Data Disk to the right of Data Disk.

      2. Specify the category and capacity of the disk.

      3. Select Disk Encryption and select a key from the drop-down list.

        image.png

        You can select Default Service CMK or select a custom customer master key (CMK) that has been created in KMS.

        Note

        • In the drop-down list, you can click Go to Authorize and follow on-screen instructions to attach the AliyunECSDiskEncryptDefaultRole role to allow ECS to access your KMS resources. For more information, see Use instance RAM roles to control access to resources.

        • Custom CMKs cannot be selected as encryption keys in the China (Nanjing - Local Region), China (Fuzhou-Local Region), Thailand (Bangkok), or South Korea (Seoul) region.

        If you click Create from Snapshot and create a disk from a snapshot, the encryption feature is subject to the following limitations.

        Item

        Description

        Instance family

        The instance family of the instance cannot be ecs.ebmg5, ecs.ebmgn5t, ecs.ebmi3, ecs.sccg5, ecs.scch5, ecs.ebmc4, or ecs.ebmhfg5. For more information, see Overview of instance families.

        Disk category

        Only Enhanced SSDs (ESSDs), ESSD AutoPL disks, and ESSD Entry disks are supported.

    Encrypt a data disk when you create the disk

    This section describes only how to configure the disk encryption settings when you create a disk. For information about other configurations of the disk, see Create a disk.

    1. In the upper-left corner of the Disks page, click Create Disk.

    2. In the Storage section, specify the category and capacity of the disk.

    3. Select Disk Encryption and select a key from the drop-down list.

      image.png

      You can select Default Service CMK or select a custom customer master key (CMK) that has been created in KMS.

      Note

      • In the drop-down list, you can click Go to Authorize and follow on-screen instructions to attach the AliyunECSDiskEncryptDefaultRole role to allow ECS to access your KMS resources. For more information, see Use instance RAM roles to control access to resources.

      • Custom CMKs cannot be selected as encryption keys in the China (Nanjing - Local Region), China (Fuzhou-Local Region), Thailand (Bangkok), or South Korea (Seoul) region.

      If you click Create from Snapshot and create a disk from a snapshot, the encryption feature is subject to the following limitations.

      Item

      Description

      Instance family

      The instance family of the instance cannot be ecs.ebmg5, ecs.ebmgn5t, ecs.ebmi3, ecs.sccg5, ecs.scch5, ecs.ebmc4, or ecs.ebmhfg5. For more information, see Overview of instance families.

      Disk category

      Only Enhanced SSDs (ESSDs), ESSD AutoPL disks, and ESSD Entry disks are supported.