When you create Elastic Compute Service (ECS) instances or copy custom images by using the ECS console or by calling API operations, you can encrypt the system disks. After the system disks are encrypted, data stored on the disks is also encrypted. Encryption keys can be customer master keys (CMKs) that are created by Key Management Service (KMS) or Bring Your Own Key (BYOK) keys (custom keys imported by using the BYOK feature).

Background information

Methods of encrypting system disks

You can use one of the following methods to encrypt a system disk:
  • When you create an ECS instance, select Disk Encryption and select a key in the Storage section to encrypt the system disk. For more information, see Encrypt the system disk of an instance when you create the instance.
    Note You cannot encrypt system disks when you create instances in Hong Kong Zone D or Singapore Zone A.
  • When you copy a custom image, select Encrypt and select a key to encrypt the custom image copy. If an ECS instance is created from the encrypted custom image copy, the system disk and data disks of the instance are automatically encrypted. For more information, see Create an encrypted system disk when you copy a custom image.
    The following figure shows how to create an encrypted system disk by using the Copy and Encrypt feature. The Copy and Encrypt feature allows you to encrypt the image copy when you copy a custom image. For more information, see Encryption overview. Encrypt

Scenarios for encrypting a system disk

The following table describes the different scenarios for encrypting a system disk.
Encrypted custom image System disk encrypted when the instance is created System disk encrypted
No No No
No Yes (Use Key A)

For more information, see Encrypt the system disk of an instance when you create the instance.

Yes (Use Key A)
Yes (Use Key B)

For more information, see Create an encrypted system disk when you copy a custom image.

No Yes (Use Key B)
Yes (Use Key B)

For more information, see Create an encrypted system disk when you copy a custom image.

Yes (Use Key A)

For more information, see Encrypt the system disk of an instance when you create the instance.

Yes (Use Key A)

Encrypt the system disk of an instance when you create the instance

You can select Disk Encryption and select a key to encrypt the system disk of an instance when you create the instance.

Requirements

If you want to encrypt the system disk of an instance when you create the instance, the instance must meet the following requirements:
  • The instance family of the instance cannot be ecs.ebmg5, ecs.ebmgn5t, ecs.ebmi3, ecs.sccg5, ecs.scch5, ecs.ebmc4, and ecs.ebmhfg5. For more information, see Instance family
  • The instance uses only a public or custom image. The instance cannot use an Alibaba Cloud Marketplace image or a shared image.
  • The instance uses only enhanced SSDs (ESSDs).

Create an ECS instance

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select a region.
  4. On the Instances page, click Create Instance.
  5. In the Basic Configurations step, perform the following operations.
    Note This step describes how to configure the encryption settings of the system disk when you create an instance. For information about other instance configurations, see Create an instance by using the wizard.
    1. Select an appropriate region and zone in the Region section and select an instance type in the Instance Type section.
    2. Select Public Image or Custom Image in the Image section.
    3. Select Enhanced SSD (ESSD) and specify a capacity for the system disk in the Storage section.
    4. Select Disk Encryption and select a key from the drop-down list in the Storage section.
      Encrypt the system disk of an instance when you create the instance

      By default, Alibaba Cloud uses the Default Service CMK managed service key when you select Disk Encryption for a system disk. You can also specify the BYOK key that you created in KMS as the encryption key of the system disk. We recommend that you use a BYOK key as the encryption key. For information about how to create a custom CMK, see Create a CMK.

      After the system disk is encrypted, a tag is automatically added to the KMS key used to encrypt the disk. The key of the tag is acs:ecs:disk-encryption, and the value of the tag is true. You can log on to the KMS console and click the key ID to view the tag of the key.

Create an encrypted system disk when you copy a custom image

When you copy a custom image, you can select Encrypt to encrypt the custom image copy. This way, system and data disks created from the encrypted custom image copy are automatically encrypted.

Encrypt a custom image

You can encrypt a custom image by using the ECS console or by calling the CopyImage operation.

  • Encrypt a custom image when you copy an image in the ECS console

    This section describes how to copy an existing custom image and encrypt the image copy in the ECS console. Then, you can create an encrypted system disk from the encrypted image copy. If no custom images are available, create a custom image. For more information, see Create a custom image from a snapshot and Create a custom image from an instance.

    1. Log on to the ECS console.
    2. In the left-side navigation pane, choose Instances & Images > Images.
    3. In the upper-left corner of the top navigation bar, select a region.
    4. On the Images page, click the Custom Images tab.
    5. Find the custom image that you want to copy and click Copy Image in the Actions column.
      Note If the size of the custom image is larger than 500 GiB, follow on-screen tips to submit a ticket after you click Copy Image.
    6. In the Copy Image dialog box, select Encrypt and select a key from the drop-down list. Copy Image dialog box in the ECS console

      By default, Alibaba Cloud uses the Default Service CMK managed service key when you select Disk Encryption for a system disk. You can also specify the BYOK key that you created in KMS as the encryption key of the system disk. We recommend that you use a BYOK key as the encryption key. For information about how to create a custom CMK, see Create a CMK.

      Note The first time that you select Encrypt, click Go to Authorize and follow on-screen tips to attach AliyunECSDiskEncryptDefaultRole to allow ECS to access your KMS resources. This step describes only how to configure the encryption settings when you copy a custom image. For more information about other configurations, see Copy a custom image.
    7. Click OK.

      You can create an encrypted system disk from the encrypted image copy. After the system disk is encrypted, a tag is automatically added to the KMS key used to encrypt the disk. The key of the tag is acs:ecs:disk-encryption, and the value of the tag is true. You can log on to the KMS console and click the key ID to view the tag of the key.

  • Encrypt a custom image by calling the CopyImage operation
    In the following example, Alibaba Cloud CLI is used to call the CopyImage operation and specify KMSKeyId to copy a custom image and encrypt the image copy. You can create an encrypted system disk from the encrypted image copy. 
    aliyun ecs CopyImage --RegionId cn-hongkong \
--ImageId m-bp155shrycg3s0****** --DestinationRegionId cn-shenzhen \
--Encrypted true --KMSKeyId e522b26d-abf6-4e0d-b5da-04b7******3c \
--Tag.N.Key EcsDocumentation

Use an encrypted custom image to create an ECS instance

After a custom image is encrypted, the system and data disks of an instance that is created from the image are automatically encrypted. The system and data disks use the same encryption key as the custom image. For information about how to create an ECS instance, see Create an instance by using the wizard.

Encryption state change of a system disk

After you copy a custom image and encrypt the custom image copy, the encryption state of the system disks created from the image copy is determined by whether a new CMK is selected during the image copy process. The following section describes how a CMK affects the encryption state of a system disk.
  • If you do not select a CMK when you copy an unencrypted custom image, the system disks created from the image copy are unencrypted. Copy an unencrypted custom image to create an unencrypted custom image
  • If you select a CMK when you copy an unencrypted custom image, the image copy is encrypted. To access instances created from the image copy, you must use this CMK. Copy an unencrypted custom image to create an encrypted custom image
  • If you do not select a CMK when you copy an encrypted image, the image copy is encrypted by using the same encryption key as the original image. To access instances created from the image copy, you must use the encryption key of the original image. Copy an encrypted custom image to create an encrypted custom image with the same encryption key
  • If you select a new CMK when you copy an encrypted image, the image copy is encrypted by using the new CMK. To access instances created from the image copy, you must use the new CMK. Copy an encrypted custom image to create an encrypted custom image with a different encryption key

What to do next

You can use the encrypted image copy to create an instance or replace the system disk of an instance as described in the following topics: