When you create Elastic Compute Service (ECS) instances or copy custom images by using the ECS console or by calling API operations, you can encrypt system disks. When system disks are encrypted, data stored on the disks is also encrypted. The managed service customer master key (CMK) or custom CMKs in Key Management Service (KMS) can be used as encryption keys for system disks. The managed service CMK is the system-created default service CMK. Custom CMKs are CMKs that you create in KMS.
Background information
Methods for encrypting system disks
You can use one of the following methods to encrypt a system disk:- Method 1: (Recommended) Encrypt the system disk of an instance when you create the instanceWhen you create an ECS instance, select Disk Encryption and select a key in the Storage section to encrypt the system disk. The limits described in the following table apply when you encrypt the system disk of an instance during instance creation.
Item Description Instance family The instance family of the instance cannot be ecs.ebmg5, ecs.ebmgn5t, ecs.ebmi3, ecs.sccg5, ecs.scch5, ecs.ebmc4, or ecs.ebmhfg5. For more information, see Overview of instance families. Image The image of the instance must be a public or custom image, instead of a shared image or an Alibaba Cloud Marketplace image. Disk category The disk is an enhanced SSD (ESSD). Custom CMK Custom CMKs cannot be selected as encryption keys in the China (Nanjing - Local Region), China (Fuzhou-Local Region), Thailand (Bangkok), or South Korea (Seoul) region. - Method 2: Create an encrypted system disk when you copy a custom imageWhen you copy a custom image, select Copy and Encrypt and select a key to encrypt the custom image copy. When you create an instance from the encrypted custom image copy, the system disk and data disks of the instance are automatically encrypted. The following figure shows how to create an encrypted system disk by using the Copy and Encrypt feature. The Copy and Encrypt feature allows you to encrypt the image copy when you copy a custom image.
Scenarios for encrypting a system disk
| System disk encrypted when the instance is created | Custom image encrypted | System disk encrypted |
|---|---|---|
| No | No | No |
| Yes (Use Key A) For more information, see the (Recommended) Encrypt the system disk of an instance when you create the instance section of this topic. | No | Yes (Use Key A) |
| No | Yes (Use Key B) For more information, see the Create an encrypted system disk when you copy a custom image section of this topic. | Yes (Use Key B) |
| Yes (Use Key A) For more information, see the (Recommended) Encrypt the system disk of an instance when you create the instance section of this topic. | Yes (Use Key B) For more information, see the Create an encrypted system disk when you copy a custom image section of this topic. | Yes (Use Key A) |
(Recommended) Encrypt the system disk of an instance when you create the instance
You can select Disk Encryption and select a key to encrypt the system disk of an instance when you create the instance.
- Log on to the ECS console.
- In the left-side navigation pane, choose .
- In the top navigation bar, select a region.
- On the Instances page, click Create Instance.
- In the Basic Configurations step, perform the following operations. Note This step describes how to configure the encryption settings of the system disk when you create an instance. For information about other instance configurations, see Create an instance by using the wizard.
- Select Disk Encryption and select a key from the drop-down list in the Storage section.
By default, Alibaba Cloud uses the Default Service CMK as the encryption key when you select Disk Encryption for a disk. You can also specify a CMK that you created in KMS as the encryption key of the disk. We recommend that you use a custom CMK as the encryption key. For information about how to create a CMK, see Create a CMK.Note Currently, custom CMKs cannot be selected as encryption keys in the China (Nanjing - Local Region), China (Fuzhou-Local Region), Thailand (Bangkok), or South Korea (Seoul) region.After the disk is encrypted, a tag is automatically added to the KMS key that is used to encrypt the disk. The key of the tag isacs:ecs:disk-encryption, and the value of the tag istrue. You can log on to the KMS console and click the ID of the KMS key to view its tag.
- Select Disk Encryption and select a key from the drop-down list in the Storage section.
Create an encrypted system disk when you copy a custom image
When you copy a custom image within the same region or across different regions, you can select Copy and Encrypt to encrypt the custom image copy. This way, system disks and data disks (if any) created from the encrypted custom image copy are automatically encrypted.
Encrypt a custom image
You can encrypt a custom image by using the ECS console or by calling the CopyImage operation.
- Encrypt a custom image when you copy an image in the ECS console
This section describes how to copy an existing custom image and encrypt the image copy in the ECS console. Then, you can create an encrypted system disk from the encrypted image copy. If no custom images are available, create a custom image. For more information, see Create a custom image from a snapshot and Create a custom image from an instance.
- Log on to the ECS console.
- In the left-side navigation pane, choose .
- In the left part of the top navigation bar, select a region.
- On the Images page, click the Custom Images tab.
- Find the custom image that you want to copy and click Copy Image in the Actions column.
- In the Copy Image dialog box, set Copy Mode to Copy and Encrypt, select a destination region, and then select an encryption key.
By default, Alibaba Cloud uses the Default Service CMK as the encryption key when you select Copy and Encrypt. You can also specify a CMK that you created in KMS as the encryption key to use to encrypt the image copy. We recommend that you use a custom CMK as the encryption key. For information about how to create a CMK, see Create a CMK.Note The first time that you select an encryption key, click Go to Authorize and follow on-screen tips to attach theAliyunECSDiskEncryptDefaultRolerole to allow ECS to access your KMS resources. This step describes only how to configure the encryption settings when you copy a custom image. For information about other configurations, see Copy an image. - Click OK.
- Encrypt a custom image by calling the CopyImage operationIn the following example, Alibaba Cloud CLI is used to call the CopyImage operation and specify KMSKeyId to copy a custom image and encrypt the image copy. Then, you can create an encrypted system disk from the encrypted image copy.
aliyun ecs CopyImage --RegionId cn-hongkong \ --ImageId m-bp155shrycg3s0****** --DestinationRegionId cn-shenzhen \ --Encrypted true --KMSKeyId e522b26d-abf6-4e0d-b5da-04b7******3c \ --Tag.N.Key EcsDocumentation
Use an encrypted custom image to create an ECS instance
If you use an encrypted custom image to create an instance, the system and data disks of the instance are automatically encrypted. The system and data disks use the same encryption key as the custom image. For information about how to create an ECS instance, see Create an instance by using the wizard.
Encryption state change of a system disk
- If you do not select a CMK when you copy an unencrypted custom image, the system disks created from the image copy are unencrypted.
- If you select a CMK when you copy an unencrypted custom image, the image copy is encrypted. You must use this CMK to access instances created from the image copy.
- If you do not select a CMK when you copy an encrypted image, the image copy is encrypted by using the same encryption key as the copied image. You must use the encryption key of the copied image to access instances created from the image copy.
- If you select a new CMK when you copy an encrypted image, the image copy is encrypted by using the new CMK. You must use the new CMK to access instances created from the image copy.
