All Products
Search
Document Center

Elastic Desktop Service:Data Security

Last Updated:Jun 02, 2026

Elastic Desktop Service Enterprise protects your data through transfer encryption, display controls, peripheral restrictions, snapshot backups, disk encryption, and secure communication protocols.

Data protection

Transfer security

Cloud computer policies control file transfers between cloud computers and local devices to minimize security risks.

  • Default state: Off

  • Configuration responsibility: Customer

  • Feature cost: Free

  • Dependent products: None

  • Limitations:

    • Clipboard control:

      • No prerequisites are required for transferring text and images.

      • File transfers require the Windows client V7.3 or later.

      • Fine-grained control requires cloud computer image version 2.4 or later. Otherwise, all copy operations are blocked.

    • Web client file transfer: Even if set to Allow Upload/Download, this policy does not take effect for Linux-based cloud computers that use the HDX protocol. To enable file transfers on such cloud computers, you must use the default system policy, which has all features enabled.

  • References: Data security

Configuration

  1. Log on to the EDS enterprise console.

  2. In the left-side navigation pane, choose O&M Management > Policy.

  3. On the Policy page, click Create Policy.

  4. On the Create Policy page, enter a Policy Name as prompted, configure the policy settings as needed, and then click OK.

Parameter

Description

Local disk mapping

Local disk mapping

Maps the disks of a local device to the cloud desktop. This lets you access data on the local disks from the cloud desktop. Options include the following:

  • Read-only: You can view and copy data from local disks, but you cannot write data to the disks.

  • Disabled: Prevents access to data on local disks from the cloud desktop.

  • Read/write: You can view, copy, and modify data on local disks from the cloud desktop.

Clipboard control

Management granularity

This parameter determines the scope of the clipboard permission settings. The options include:

  • Global: Applies a single clipboard permission to text, rich text/images, and files/folders.

  • Fine-grained: Sets separate clipboard permissions for text, rich text/images, and files/folders.

    Note

    This option is not supported on cloud computers with an image version earlier than 2.4. On these cloud computers, all copy operations are blocked.

Text copy permission

Sets clipboard permissions by data type. The options include:

  • Allow Two-way Copy: Allows cutting, copying, and pasting data between the cloud computer and the local device.

  • Deny Two-way Copy: Prohibits cutting, copying, and pasting data between the cloud computer and the local device.

  • Allow Copy from Local Device to Cloud Computer

  • Allow Copy from Cloud Computer to Local Device

Rich text/image copy permission

File/folder copy permission

Maximum text copy size

Sets the maximum size for copied text. Text that exceeds this limit is truncated.

Data security

Web client file transfer

Controls whether files can be transferred between a cloud computer and a local device by using the Web client.

Display security

Configure anti-screen capture and watermark policies to protect cloud computer display security.

  • The Anti-screenshot feature helps prevent data leaks from screen captures or recordings.

    Example: An architectural design firm enables the anti-screenshot rule for its cloud computers to prevent unauthorized copying of design drawings. As a result, no one can use screen capture tools on their local devices to take screenshots or record the cloud computer screen.

  • The Watermark feature is used for data loss prevention, serving as both a deterrent and an audit tool.

    Example: An advertising company enables watermarks on its cloud computers. When an employee takes a screenshot of an internal document, the image is overlaid with an administrator-defined watermark. This effectively discourages internal file leaks and provides a crucial audit trail if a data breach occurs.

  • Default state: Off

  • Configuration responsibility: Customer

  • Feature cost: Free

  • Dependent products: None

  • Limitations:

    Feature

    Minimum image version

    Client and minimum version

    Anti-screenshot

    N/A

    Windows client and macOS client V5.2

    Invisible watermark intensity

    1.8.0

    N/A

    Invisible watermark with anti-photography

    1.8.0

    Any client V6.7

  • References: Display security

Configuration

  1. Log on to the EDS enterprise console.

  2. In the left-side navigation pane, choose O&M Management > Policy.

  3. On the Policy page, click Create Policy.

  4. On the Create Policy page, enter a Policy Name as prompted, configure the policy settings as needed, and then click OK.

Parameter

Description

Anti-screenshot

This feature helps prevent data leaks. When enabled, end users cannot use screen capture tools on their local devices to take screenshots or record the cloud computer screen.

Note
  • The anti-screenshot feature is supported only on Windows client and macOS client versions 5.2.0 and later.

  • Support for the anti-screenshot feature varies among different types of Alibaba Cloud Workspace clients. If you enable this feature, we recommend that you configure the logon method control policy to allow connections from supported clients.

Watermark

This feature is used for data loss prevention, serving as a deterrent and an audit tool.

Visible watermark

A visible watermark is a discernible overlay on the screen. You can configure its content and display style.

  • Watermark content (Select up to 3)

    • Username: For example, testuser01.

    • Cloud Computer ID: For example, ecd-66twv7ri4nmgh****.

    • Cloud computer IP address: For example, 192.0.2.0.

    • Client IP address: For example, 192.0.2.254.

    • The current time on the cloud computer. For example, 20230101.

    • Custom text: The custom text that you enter, such as Internal Data.

      Note

      The custom content can be up to 20 characters long. Supported characters include uppercase and lowercase letters, numbers, Chinese characters, and the following special characters: ~!@#$%^&*()-_=+|{};:',<.?. Using line breaks or other special characters may cause the custom content to not take effect.

  • Display style

    • Font size: The value range is 10 to 20 px. The default value is 12 px.

    • Font color: The RGB color value. The default value is #FFFFFF (white).

    • Transparency: The value must be an integer from 10 to 100. A value of 0 means opaque and 100 means fully transparent. The default value is 25.

    • Tilt: The value can range from -30 to -10. The default value is -25.

    • Watermark density: The value range for both rows and columns is 3 to 10. The default value for both is 3.

During configuration, you can see a real-time preview of the visible watermark in the preview area below.

Invisible watermark

An invisible watermark is not discernible to the naked eye. The default algorithm provided by Elastic Desktop Service (EDS) encrypts watermark information based on different Alibaba Cloud account identities to prevent malicious tampering. The parameters for invisible watermarks include:

  • Security Priority: Because the invisible watermark feature depends on specific client and image versions, we recommend that you enable this option.

    • If enabled, an end user can connect to a cloud computer only if both the client and the image meet the version requirements.

    • If disabled, an end user can still connect even if the client or image does not meet the version requirements, but the invisible watermark will not be effective.

  • Invisible watermark intensity: A higher intensity increases the granularity of the cloud computer desktop display and improves the success rate of watermark parsing. Adjust the intensity based on your needs. This feature requires an image of version 1.8.0 or later.

  • Watermark content (Select up to 2):

    • Cloud Computer ID: For example, ecd-66twv7ri4nmgh****.

    • Cloud computer IP address: For example, 192.0.2.0.

    • Client IP address: For example, 192.0.2.254.

    • The current time of the cloud computer. For example: 20230101.

  • Anti-photography: This feature requires an image of version 1.8.0 or later and an Alibaba Cloud Workspace client of version 6.7.0 or later.

Peripheral security

Administrators can restrict device redirection to prevent client peripherals from accessing the cloud computer environment. The following peripherals can be controlled:

  • Printer: Disable printer redirection to prevent data leakage and block unauthenticated printers.

  • Webcam: Disable webcam redirection to prevent unauthorized image capture and privacy leaks.

  • USB device: Enable or disable all client USB devices, or control access at device level using Vendor IDs (VID) and Product IDs (PID).

  • Default state: Off

  • Configuration responsibility: Customer

  • Feature cost: Free

  • Dependent products: None

  • Limitations: None

  • References: Peripheral-related policies

Configuration

  1. Log on to the EDS enterprise console.

  2. In the left-side navigation pane, choose O&M Management > Policy.

  3. On the Policy page, click Create Policy.

  4. On the Create Policy page, enter a Policy Name as prompted, configure the policy settings as needed, and then click OK.

Configuration item

Description

Requirements or limits

Peripheral connection guide

Peripheral connection guide

Enabled by default. If disabled, the terminal no longer displays the connection guide pop-up for connected peripherals.

Only Windows cloud desktops are supported.

Peripherals and printers

Peripherals and printers shortcut

By default, the shortcut for Peripherals and Printers is displayed on the cloud desktop. Configure it to be hidden to hide the shortcut. Options include the following:

  • Show shortcut

  • Hide shortcut

Only Windows cloud desktops are supported.

Local disk redirection

Local disk mapping

Maps the disks of a local device to the cloud desktop. This lets you access data on the local disks from the cloud desktop. Options include the following:

  • Read-only: You can view and copy data from local disks, but you cannot write data to the disks.

  • Disabled: Prevents access to data on local disks from the cloud desktop.

  • Read/write: You can view, copy, and modify data on local disks from the cloud desktop.

None.

Peripheral redirection

USB redirection switch

After you enable this switch, you can use USB devices connected to the local terminal from the cloud desktop. You can also control access based on blacklists and whitelists or device categories. If you disable this switch, peripherals that you configured for 'USB redirection' automatically switch to 'Disabled'.

Web clients do not support USB devices. Therefore, USB redirection is not supported.

Camera

Select a redirect rule for each type of peripheral. Options include the following:

  • USB redirection: Redirects local USB peripherals to the cloud desktop. You must install the corresponding drivers on the cloud desktop to use the peripherals.

    Note

    You must enable the USB redirection switch to select the USB redirection method.

  • Device redirection: Redirects local USB peripherals to the cloud desktop. You do not need to install drivers on the cloud desktop, but you must install them on the local terminal.

  • Disabled: Does not redirect the peripheral. The peripheral cannot be used in the cloud desktop.

Only Windows cloud desktops that use the Adaptive Streaming Protocol (ASP) are supported. Only device redirection is supported.

Scanner

Only USB redirection is supported.

ADB

No limits.

Printer

For cloud desktops connected through a Windows client or macOS client, you can enable printer redirection to use printers connected to the local device.

Serial port device

Only Windows cloud desktops and Windows clients are supported.

Cloud Hub service

Disabled by default. After you enable this service, Cloud Hub provides a service for connecting peripherals to the cloud.

Must be used with local management software.

Peripheral blacklists and whitelists

Peripheral blacklists and whitelists

After you configure USB redirect rules by peripheral category, you can also use peripheral blacklist and whitelist rules to configure exceptions. The peripheral blacklist and whitelist have a higher priority than the USB redirect rules configured by peripheral category.

  • If you add a USB peripheral to the blacklist, it can be accessed even if USB redirection is disabled for its device category.

  • If you add a USB peripheral to the whitelist, it cannot be accessed even if USB redirection is enabled for its device category.

  • You can set up to 100 blacklist and whitelist rules. Rules with a higher position in the list have a higher priority. You can adjust the sort order.

  • The format for Vendor ID (VID) and Product ID (PID) is a 4-character hexadecimal string, such as a12c.

  • The settings take effect the next time you connect to the cloud desktop.

Peripheral management rules

Custom rules

You can create custom rules to manage redirect rules at the peripheral level, identified by Vendor ID (VID) and Product ID (PID).

  • You can set up to 100 custom rules.

  • The format for Vendor ID (VID) and Product ID (PID) is a 4-character hexadecimal string, such as a12c.

  • Only WUYING Terminal V6.4.0 and later are supported.

Recommended rules for best practices

Best practice rules recommended by WUYING Workspace.

  • Cannot be modified, but have a lower priority than your custom rules.

  • Only WUYING Terminal V6.4.0 and later are supported.

Data availability

Snapshot backup and restoration (administrators)

A snapshot is a point-in-time disk backup. Create a snapshot before high-risk operations such as modifying the registry or critical system files. If a failure occurs, restore the disk from the snapshot.

  • Manual creation: You can create a snapshot at any time based on your business needs and specify which disks to back up. If you grant local administrator permissions to end users, they can create, restore, and delete snapshots from the WUYING Terminal interface.

  • Automatic creation: By default, the system automatically creates a snapshot for the system disk and data disk of each cloud computer. This default snapshot is retained for only three days and is then automatically deleted. You can also configure an automatic snapshot policy to meet your requirements. The system automatically creates snapshots in the following scenarios:

    Important

    If you do not configure a custom snapshot policy and use only the default snapshot policy for Elastic Desktop Service Enterprise, the system-generated snapshots are deleted when the instance is released and cannot be recovered.

    • If a cloud computer is associated with an automatic snapshot policy, the system automatically creates snapshots at the times specified in the policy.

    • Before an administrator upgrades a cloud computer or a custom image, the system automatically creates a snapshot in case of an upgrade failure. If the upgrade fails, the system automatically rolls back the changes. If the upgrade succeeds, the system disk snapshot of the original cloud computer is deleted, but the data disk snapshot is retained.

    • When you change the image for a cloud computer that uses a custom image, if the custom image has been deleted, the system automatically creates a snapshot. After the image is successfully changed, the system automatically deletes this snapshot.

    • Before an end user upgrades a cloud computer from the client, the system automatically creates a snapshot in case of an upgrade failure. In this case, a maximum of three snapshots can be created for a cloud computer, and are retained for only three days, after which they are automatically deleted.

    The schedule for automatic snapshot creation is as follows:

    • If no automatic snapshot policy is associated:

      • For cloud computers in all regions created at or after 12:00 (UTC+8) on August 19, 2024: daily between 22:00 and 06:00 the next day.

      • For cloud computers in the China (Hangzhou) region created between 17:42 (UTC+8) on June 7, 2024, and 12:00 (UTC+8) on August 19, 2024: daily at 02:00.

      • For all other cloud computers: daily at 01:00.

      • To stop automatic snapshot creation, go to the Snapshots page, click the Snapshot Management tab, and turn off the System Snapshot switch.

    • If an automatic snapshot policy is associated: Snapshots are created at the times specified in the policy.

  • Default state: system snapshots (enabled), custom snapshots (none).

  • Configuration responsibility: Customer

  • Feature cost: Free during public preview

  • Dependent products: None

  • Limitations: None

  • References: Use snapshots (Public Preview)

Configuration

Manually create a snapshot

  1. Log on to the EDS enterprise console.

  2. In the left-side navigation pane, choose Resource Management > Cloud Computers.

  3. In the top navigation bar, select a region.

  4. On the Cloud Computers page, find the cloud computer for which you want to create a snapshot and choose one of the following methods:

    • In the Actions column, click More and select Create Snapshot.

    • Click the cloud computer ID to go to the details page, click the Snapshots tab, and then click Create Snapshot.

  5. In the Create Snapshot panel, configure the parameters and click Create Snapshot.

    Parameter

    Description

    Disk scope

    Select the disks to back up. Valid values: System Disk and Data Disk, Only System Disk, and Only Data Disk.

    Restore point name

    Enter a name for the restore point. The name must be 2 to 128 characters long and start with a letter or a Chinese character. It cannot start with http://, https://, or auto. It can contain digits, colons (:), underscores (_), periods (.), and hyphens (-).

    System disk snapshot name

    Enter a name for the system disk snapshot. The name must be 2 to 127 characters long and cannot start with auto.

    System disk description

    Enter a description for the system disk snapshot. The description can be up to 128 characters long.

    Data disk snapshot name

    Enter a name for the data disk snapshot. The name must be 2 to 127 characters long and cannot start with auto.

    Data disk description

    Enter a description for the data disk snapshot. The description can be up to 128 characters long.

    On the Snapshot List tab, you can monitor the creation progress. When the status changes from In Progress to Succeeded, the snapshot is created successfully.

Automatic snapshot policy

After creating an automatic snapshot policy, associate it with the desired cloud computers. The system will then automatically create snapshots according to your configured schedule.

  1. In the left-side navigation pane, choose O&M Management > Snapshots.

  2. In the top navigation bar, select a region.

  3. On the Snapshots page, click the Automatic Snapshot Policy tab and then click Create Policy.

  4. In the Create Policy panel, set the following parameters and click OK.

    Parameter

    Description

    Automatic snapshot policy name

    Enter a name for the policy.

    Disk scope

    • System and Data Disks.

    • System Disk Only.

    • Data Disk Only.

    Repeat date

    Select the days of the week on which to execute the policy.

    Snapshot creation time

    Enter or select the time of day (UTC+8) to automatically create snapshots.

    Retention period

    Enter the retention period for automatic snapshots. The value can be from 1 to 180 days.

    When the number of automatic snapshots for a cloud computer reaches the quota of 30, the oldest snapshot is automatically deleted to make room for a new one.

  5. In the left-side navigation pane, choose Resource Management > Cloud Computers.

  6. In the top navigation bar, select a region.

  7. On the Cloud Computers page, find the cloud computer with which you want to associate the automatic snapshot policy. In the Actions column, click More and select Change Automatic Snapshot Policy.

  8. In the Change Automatic Snapshot Policy panel, turn on the Automatic Snapshot Policy switch, select the policy that you created, and click Change.

  9. In the confirmation dialog box, click OK.

    After you associate an automatic snapshot policy with a cloud computer, you can click the cloud computer ID and view the associated automatic snapshot policy on the Cloud Computer Details tab.

Restore data

If a system failure occurs or data is lost due to an operational error, you can use a snapshot to restore a disk to the state it was in when the snapshot was created.

Warning

Restoring a disk from a snapshot is an irreversible operation. After you restore a disk from a snapshot, the disk is rolled back to the state at the point in time when the snapshot was created. Data added after the snapshot was created will be permanently lost. Back up any important data before proceeding. You can create another snapshot as a backup or manually back up data to a different disk for later use.

  1. In the left-side navigation pane, choose Resource Management > Cloud Computers.

  2. In the top navigation bar, select a region.

  3. On the Cloud Computers page, find the cloud computer whose data you want to restore and click its ID.

  4. On the Snapshots tab, find the snapshot you want to use to restore data, and click Restore Cloud Computer in the corresponding Actions column.

    If the cloud computer is not stopped, you will be prompted to shut it down. Click Confirm and wait for the cloud computer to stop before you proceed.

  5. In the Restore Cloud Computer panel, confirm the snapshot information and then click Restore Cloud Computer.

    Important

    You can restore only one disk at a time. Do not perform other operations on the disk during the restoration process. A restore operation reverts the entire disk to its state at the point in time the snapshot was created, not a specific partition or directory.

    After the disk data is restored, you will receive a notification in the UI. You can then verify the data restoration.

Restore point backup and restoration (end users)

End users can create restore points to back up cloud computer data before high-risk operations such as modifying critical system files. If a failure or error occurs, users can restore the cloud computer from a restore point.

  • Default state: system restore points (enabled), custom restore points (none).

  • Configuration responsibility: Customer

  • Feature cost: Free

  • Dependent products: None

  • Limitations: None

  • References: Back up and restore cloud computer data

Configuration

Create custom restore point

  1. Log on to the Alibaba Cloud Workspace terminal.

  2. On the cloud computer card, click Manage and then select the Restore Points tab.

  3. Click the Custom Restore Points tab, and then click Create Restore Point.

  4. In the dialog box that appears, select the disks you want to back up, enter a name for the restore point, and click OK.

    You can view the creation progress and status of the restore point on the Custom Restore Points tab.

Restore data

  1. Log on to the Alibaba Cloud Workspace terminal.

  2. On the cloud computer card, click Manage and then select the Restore Points tab.

  3. On the System Restore Points or Custom Restore Points tab, find the target restore point and click Restore.

    Warning

    Restoring data is an irreversible operation. After you restore from a restore point, the disks revert to their state at the time the restore point was created. Any data added after the restore point was created is permanently lost. Before you proceed, back up all critical data.

  4. In the dialog box that appears, click Confirm Restore.

Data confidentiality

Communication security

Elastic Desktop Service Enterprise cloud computers use Alibaba Cloud's proprietary Adaptive Streaming Protocol (ASP) by default. ASP supports TLS encryption via Tongsuo, encrypting all data between cloud computers and client terminals, including image, audio, video streams, clipboard data, and input events. Tongsuo (formerly BabaSSL) is an open-source cryptographic library by Alibaba that provides modern algorithms and secure communication protocols, protecting data privacy, integrity, and authenticity during transmission, use, and storage. Tongsuo holds a commercial cryptographic product certification from the Commercial Cryptography Testing Center of the State Cryptography Administration of China, supporting compliance with commercial cryptographic requirements including state-secret transformation and classified protection assessments.

Tongsuo provides:

  • Technical compliance: Compliant with GM/T 0028 Level 1 Security for Software Cryptographic Modules.

  • Zero-Knowledge Proofs (ZKP): Bulletproofs

  • Cryptographic algorithms

    • Chinese commercial cryptographic algorithms: SM2, SM3, SM4, ZUC, and more.

    • Mainstream international algorithms: ECDSA, RSA, AES, SHA, and more.

    • Homomorphic encryption algorithms: EC-ElGamal, Paillier, and more.

  • Secure communication protocols

    • Supports GB/T 38636-2020 TLCP, the dual-certificate national cryptographic communication protocol.

    • Supports RFC 8998 (TLS 1.3 with a single national cryptographic certificate).

    • Supports the QUIC API.

    • Supports Delegated Credentials (draft-ietf-tls-subcerts-10).

    • Supports TLS certificate compression

  • Default state: On (cannot be disabled)

  • Configuration responsibility: Alibaba Cloud

  • Feature cost: Free

  • Dependent products: None

  • Limitations: None

  • References: Adaptive Streaming Protocol (ASP)