This topic describes how to encrypt a data disk. After a data disk is encrypted, both data in transit and data at rest on the disk are encrypted. You can follow the instructions described in this topic to encrypt data disks to meet security compliance requirements.
Background information
You can use one of the following methods to encrypt data disks:
- Create an Elastic Compute Service (ECS) instance from an encrypted custom image that contains data of data disks. The data disks of the instance that were created from the custom image are encrypted. For more information, see Encrypt a system disk.
- When you create an instance, click Add Disk to add data disks and select Disk Encryption and a key for each added data disk. For more information, see Encrypt a data disk when you create an ECS instance.
- When you create an independent disk, select Disk Encryption and a key for each disk. For more information, see Encrypt a data disk when you create the disk.
When you encrypt data disks, you must use the keys in Key Management Service (KMS). For more information, see Encryption overview.
Encrypt a data disk when you create an ECS instance
Encrypt a data disk when you create the disk
Change the encryption state
After a data disk of an instance is created, you cannot change its encryption state.
If you want to change the encryption state of its data, perform the procedures described
in the following table.
State change | Procedure | Windows Server | Linux |
---|---|---|---|
From unencrypted to encrypted |
|
In Command Prompt, run the robocopy command. | Run the rsync shell command. |
From encrypted to unencrypted |
|