When you create Elastic Compute Service (ECS) instances or copy custom images by using the ECS console or by calling API operations, you can encrypt the system disks. After the system disks are encrypted, data stored on the disks is also encrypted. Encryption keys can be customer master keys (CMKs) that are created by Key Management Service (KMS) or Bring Your Own Key (BYOK) keys (custom keys imported by using the BYOK feature).
Background information
Methods of encrypting system disks
You can use one of the following methods to encrypt a system disk:- When you create an ECS instance, select Disk Encryption and select a key in the Storage
section to encrypt the system disk. For more information, see Encrypt the system disk of an instance when you create the instance.
Note You cannot encrypt system disks when you create instances in Hong Kong Zone D or Singapore Zone A.
- When you copy a custom image, select Encrypt and select a key to encrypt the custom
image copy. If an ECS instance is created from the encrypted custom image copy, the
system disk and data disks of the instance are automatically encrypted. For more information,
see Create an encrypted system disk when you copy a custom image.
The following figure shows how to create an encrypted system disk by using the Copy and Encrypt feature. The Copy and Encrypt feature allows you to encrypt the image copy when you copy a custom image. For more information, see Encryption overview.
Scenarios for encrypting a system disk
The following table describes the different scenarios for encrypting a system disk.Encrypted custom image | System disk encrypted when the instance is created | System disk encrypted |
---|---|---|
No | No | No |
No | Yes (Use Key A)
For more information, see Encrypt the system disk of an instance when you create the instance. |
Yes (Use Key A) |
Yes (Use Key B)
For more information, see Create an encrypted system disk when you copy a custom image. |
No | Yes (Use Key B) |
Yes (Use Key B)
For more information, see Create an encrypted system disk when you copy a custom image. |
Yes (Use Key A)
For more information, see Encrypt the system disk of an instance when you create the instance. |
Yes (Use Key A) |
Encrypt the system disk of an instance when you create the instance
You can select Disk Encryption and select a key to encrypt the system disk of an instance when you create the instance.
Requirements
If you want to encrypt the system disk of an instance when you create the instance, the instance must meet the following requirements:- The instance family of the instance cannot be ecs.ebmg5, ecs.ebmgn5t, ecs.ebmi3, ecs.sccg5, ecs.scch5, ecs.ebmc4, and ecs.ebmhfg5. For more information, see Instance family
- The instance uses only a public or custom image. The instance cannot use an Alibaba Cloud Marketplace image or a shared image.
- The instance uses only enhanced SSDs (ESSDs).
Create an ECS instance
Create an encrypted system disk when you copy a custom image
When you copy a custom image, you can select Encrypt to encrypt the custom image copy. This way, system and data disks created from the encrypted custom image copy are automatically encrypted.Encrypt a custom image
You can encrypt a custom image by using the ECS console or by calling the CopyImage operation.
- Encrypt a custom image when you copy an image in the ECS console
This section describes how to copy an existing custom image and encrypt the image copy in the ECS console. Then, you can create an encrypted system disk from the encrypted image copy. If no custom images are available, create a custom image. For more information, see Create a custom image from a snapshot and Create a custom image from an instance.
- Log on to the ECS console.
- In the left-side navigation pane, choose .
- In the upper-left corner of the top navigation bar, select a region.
- On the Images page, click the Custom Images tab.
- Find the custom image that you want to copy and click Copy Image in the Actions column.
Note If the size of the custom image is larger than 500 GiB, follow on-screen tips to submit a ticket after you click Copy Image.
- In the Copy Image dialog box, select Encrypt and select a key from the drop-down list.
By default, Alibaba Cloud uses the Default Service CMK managed service key when you select Disk Encryption for a system disk. You can also specify the BYOK key that you created in KMS as the encryption key of the system disk. We recommend that you use a BYOK key as the encryption key. For information about how to create a custom CMK, see Create a CMK.
Note The first time that you select Encrypt, click Go to Authorize and follow on-screen tips to attach AliyunECSDiskEncryptDefaultRole to allow ECS to access your KMS resources. This step describes only how to configure the encryption settings when you copy a custom image. For more information about other configurations, see Copy a custom image. - Click OK.
You can create an encrypted system disk from the encrypted image copy. After the system disk is encrypted, a tag is automatically added to the KMS key used to encrypt the disk. The key of the tag is
acs:ecs:disk-encryption
, and the value of the tag istrue
. You can log on to the KMS console and click the key ID to view the tag of the key.
- Encrypt a custom image by calling the CopyImage operation
In the following example, Alibaba Cloud CLI is used to call the CopyImage operation and specify KMSKeyId to copy a custom image and encrypt the image copy. You can create an encrypted system disk from the encrypted image copy.
aliyun ecs CopyImage --RegionId cn-hongkong \ --ImageId m-bp155shrycg3s0****** --DestinationRegionId cn-shenzhen \ --Encrypted true --KMSKeyId e522b26d-abf6-4e0d-b5da-04b7******3c \ --Tag.N.Key EcsDocumentation
Use an encrypted custom image to create an ECS instance
After a custom image is encrypted, the system and data disks of an instance that is created from the image are automatically encrypted. The system and data disks use the same encryption key as the custom image. For information about how to create an ECS instance, see Create an instance by using the wizard.
Encryption state change of a system disk
- If you do not select a CMK when you copy an unencrypted custom image, the system disks
created from the image copy are unencrypted.
- If you select a CMK when you copy an unencrypted custom image, the image copy is encrypted.
To access instances created from the image copy, you must use this CMK.
- If you do not select a CMK when you copy an encrypted image, the image copy is encrypted
by using the same encryption key as the original image. To access instances created
from the image copy, you must use the encryption key of the original image.
- If you select a new CMK when you copy an encrypted image, the image copy is encrypted
by using the new CMK. To access instances created from the image copy, you must use
the new CMK.