Encryption overview - Elastic Compute Service - Alibaba Cloud Documentation Center

This topic describes the basic concepts of encryption. In the scenarios that require data security and regulatory compliance, you can encrypt your data stored in Alibaba Cloud Elastic Compute Service (ECS). You can implement encryption to protect the privacy, autonomy, and security of data without the need to establish or maintain key management infrastructure. Both system disks and data disks can be encrypted.

Introduction

ECS uses the industry-standard AES-256 encryption algorithm and Key Management Service (KMS) to encrypt disks. Encryption and decryption have minimal impacts on ECS instance performance. The performance of disks for which encryption is disabled is higher than that of disks for which encryption is enabled. The amount that performance degrades varies based on the upper-layer applications on disks for which encryption is enabled.

Note Starting from March 31, 2022, KMS is upgraded to Dedicated KMS that provides tenant-specific storage and cryptographic key management service. For more information, see [Upgrade Announcement] KMS is upgraded to Dedicated KMS.

When you create an ECS instance by using an encrypted system disk or image, data in the operating system of the ECS instance is automatically encrypted. The data is automatically decrypted when it is read. For more information how to create an encrypted system disk, see Encrypt a system disk.
The following types of data are encrypted when you create an encrypted disk and attach it to an ECS instance. The data is decrypted when it is read. For more information how to encrypt a data disk, see Encrypt a data disk.
- Data at rest that is stored on the encrypted disk.
- Data transmitted between the encrypted disk and the ECS instance, excluding data in the operating system.
- Data transmitted from the ECS instance to a backend storage cluster.
- All snapshots created from the encrypted disk. These snapshots have the same encryption key as the disk.
- All disks created from the encrypted snapshots.

Encryption keys

By default, the disk encryption feature uses service keys to encrypt your data. You can also create custom keys to encrypt your data. To encrypt data stored on each disk, you must use a customer master key (CMK) and a data key (DK) and the envelope encryption mechanism. In the envelope encryption mechanism, CMKs are placed under strong logical and physical security protection by the key management infrastructure provided by KMS. An Alibaba Cloud service must be authorized to use a CMK to generate a DK to encrypt business data or decrypt the ciphertext of the DK to decrypt business data. The plaintext of the DK is only used in the memory of the host where your ECS instance resides. The DK is not stored in plaintext in persistent storage medium.

The following table describes the types of CMKs that you can use to encrypt disks.


Type	Description	Source	Scenario
Service key, key ① in the following figure	The dedicated CMK that is automatically created by KMS for ECS in a region when you activate KMS and use encryption for the first time within the region. The alias name of service keys is acs/ecs. Service keys cannot be deleted or disabled.	The default service CMK provided by KMS.	You can use service keys to encrypt disks in a more convenient and efficient manner. For more information, see Overview.
Customer-created key, key ② in the following figure	The encryption keys that you create. You have full permissions to create, rotate, and disable these keys, and define access control over them.	Source 1: Keys created in KMS. Source 2: Keys created in KMS from key materials imported by using the Bring Your Own Key (BYOK) feature (BYOK keys)	You can use customer-created keys to encrypt disks in a more flexible manner and increase the number of keys. For more information, see Overview.

Differences between a service key and a customer-created key

Billing

The following table describes the billing information of features and operations related to encryption. Make sure that your account balance is sufficient. Otherwise, operations that incur costs may fail.


Operation	Billable
Encrypt system disks and data disks.	No.
Use service keys that are provided by KMS.	No.
Create CMKs (including BYOK keys) in KMS.	Yes. For more information, see Billing.
Perform read and write operations on disks, such as mounting (mount) and unmounting (umount) partitions, creating partitions, and formatting file systems.	No.
Disk management operations include: Create an encrypted disk by calling the RunInstances, CreateInstance, or CreateDisk operation. Attach a disk to an instance by calling the AttachDisk operation. Create a snapshot for a disk by calling the CreateSnapshot operation. Detach a disk from an instance by calling the DetachDisk operation. Roll back a disk by calling the ResetDisk operation. Re-initialize a disk by calling the ReInitDisk operation. Note If you perform operations on a disk from the ECS console or by calling API operations in a region, the operations consume the KMS API quota within the region.	Yes. For more information, see Billing.
Use Dedicated KMS	Yes. For more information, see Billing of Dedicated KMS.

Limits


Limits	Description
Limits on category of disks that can be encrypted Note Local disks cannot be encrypted.	System disks: Disks that can be encrypted when the associated instances are created: enhanced SSDs (ESSDs). Disks that can be encrypted when the source custom images are copied:ESSDs, standard SSDs, ultra disks, and basic disks. For more information, see Encrypt a system disk.
	Data disks:Disks that can be encrypted: ESSDs, standard SSDs, and ultra disks. For more information, see Encrypt a data disk.
Limits on encrypted disks	Unencrypted disks cannot be directly converted to encrypted disks. Encrypted disks cannot be directly converted to unencrypted disks.
Limits on encrypted images	Encrypted images cannot be converted to unencrypted images. Encrypted images cannot be copied across regions. Encrypted images cannot be exported.