The disk encryption feature automatically encrypts operating system data that is stored on disks attached to Elastic Compute Service (ECS) instances. The encryption is implemented on the host that the ECS instances reside. You do not need to establish or maintain the key management infrastructure. To enable the disk encryption feature, you can select the Encryption option when you create separate data disks or when you add a system disk or data disks when you create an ECS instance. The disk encryption feature allows you to protect the privacy and autonomy of data and provides security boundaries for data.
Introduction
Disks are encrypted by using the industry-standard Advanced Encryption Standard-256 (AES-256) encryption algorithm and Key Management Service (KMS). After you enable the disk encryption feature, data is automatically encrypted when the data is transmitted from ECS instances to disks and is automatically decrypted when the data is read from disks. Disk encryption and decryption are performed on the hosts on which the ECS instances reside. Although encryption-incapable disks outperform encryption-capable disks, the disk encryption feature has minimal impacts on ECS instance performance. The disk performance degradation caused by the disk encryption feature varies based on the upper-layer application.
The following disks can be encrypted:
After you create ECS instances to which encrypted system disks are attached, data in the operating systems of the instances is automatically encrypted. The data is automatically decrypted when it is read.
The following types of data are automatically encrypted when you create an encrypted disk and attach the disk as a data disk to an ECS instance. The data is automatically decrypted when it is read.
Data at rest that is stored on the encrypted disk.
Data transmitted between the encrypted disk and the ECS instance, except data in the instance operating system.
Data transmitted from the ECS instance to a backend storage cluster.
All snapshots created from the encrypted disk. These snapshots have the same encryption key as the disk.
All disks created from encrypted snapshots.
Encryption keys
By default, the disk encryption feature uses service keys to encrypt data. You can also create a customer master key (CMK) to encrypt data. To encrypt data stored on each disk, you must use a CMK, a data key (DK), and the envelope encryption mechanism. In the envelope encryption mechanism, CMKs are placed under strong logical and physical security protection by the key management infrastructure provided by KMS. An Alibaba Cloud service must be authorized to use a CMK to generate a DK to encrypt business data or decrypt the ciphertext of the DK to decrypt business data. The plaintext of the DK is only used in the memory of the host where your ECS instance resides. The DK is not stored in plaintext in any persistent storage medium.
For more information, see Overview of Key Management.
The following table describes the types of keys that you can use to encrypt disks.
Type | Description | Sources | Scenario |
Default key, key ① shown in the following figure | The dedicated CMK that is created by KMS for ECS in a region when you activate KMS and use the disk encryption feature for the first time in the region. The alias of the CMK is acs/ecs. Default keys cannot be deleted or disabled. | The default key provided by KMS. A default key can be a service key or a CMK. A service key is created and managed by an Alibaba Cloud service. You can create and manage a default key of the CMK type. | You can use service keys to encrypt disks in a convenient and efficient manner. For more information, see Overview of Key Management. |
CMK, key ② shown in the following figure | An encryption key that you create. You have full permissions to create, rotate, and disable CMKs, and define access control over CMKs. |
| You can use CMKs to encrypt disks in a flexible manner and increase the number of keys. For more information, see Overview of Key Management. |
Billing
The disk encryption feature uses KMS for encryption. KMS provides free default keys that you can use without the need to purchase KMS instances. If you want to increase the number of CMKs, use Secrets Manager, or build an application-layer cryptographic solution for self-managed applications, you must purchase a KMS instance of the software key management type or the hardware key management type. For information about how to purchase a KMS instance, see Purchase and enable a KMS instance. For information about the billing of KMS, see Billing.
If you use an earlier version of KMS, you are charged for using KMS to encrypt disks, including the fees for managing keys and the fees for calling API operations. For more information, see Billing of KMS.
Limits
For information about the limits of the disk encryption feature on system disks and data disks, see Encrypt a system disk and Encrypt a data disk.
Local disks cannot be encrypted.