Encrypt disk volumes

更新时间:
复制 MD 格式

Use disk encryption to automatically encrypt data written to disks and decrypt it on read. With KMS-managed keys, you can encrypt cluster disk volumes without building your own key management infrastructure. This topic explains how to configure a StorageClass with KMS to encrypt disk volumes at rest.

Covers workload data volume encryption via a StorageClass. Does not cover node root volume encryption.

How encryption works

Alibaba Cloud disks use AES-256 encryption managed by KMS. KMS implements a two-tier key hierarchy — customer master keys (CMKs) and data keys (DKs) — using envelope encryption:

  1. Encrypt a data key. KMS encrypts the DK with the CMK. The encrypted DK is stored alongside the encrypted data and cannot be decrypted without the CMK.

  2. Store and read encrypted data. When encrypted data is read, KMS decrypts the DK after verifying the request. The plaintext DK exists only in memory during disk I/O and is never written to storage.

The plaintext CMK never leaves the hardware security module managed by KMS. The plaintext DK exists only in hypervisor memory and is never stored on disk.

See Encryption process.

Data types that can be encrypted

The following data is encrypted when you create an encrypted disk and attach it to an Elastic Compute Service (ECS) instance, and decrypted on read.

  • Static data stored on the encrypted disk.

  • Data in transit between the disk and the ECS instance, excluding data in the instance operating system.

  • Data in transit from the ECS instance to backend storage.

  • All snapshots created from the encrypted disk, with the same encryption key.

  • All disks created from the encrypted snapshots.

Supported disk types

The following disk types support encryption:

Disk type Encryption supported
Enterprise SSDs (ESSDs) Yes
ESSD AutoPL disks Yes
ESSD Entry disks Yes
Standard SSDs Yes
Ultra disks Yes
Basic disks Yes
Local disks No

Limitations

  • Encryption can only be set during disk creation and cannot be changed afterward. Mounting and unmounting do not affect encryption.

  • Converting an unencrypted disk to encrypted, or an encrypted disk to unencrypted, is not supported.

Authorize ECS to access KMS

Grant Elastic Compute Service (ECS) access to KMS by setting up the AliyunECSDiskEncryptDefaultRole RAM role.

  1. Create the RAM role (see Create a RAM role for a trusted Alibaba Cloud service) with the following values:

    If the AliyunECSDiskEncryptDefaultRole role already exists, skip this step.
    Field Value
    Principal Type Cloud Service
    Principal Name Elastic Compute Service
    Role Name AliyunECSDiskEncryptDefaultRole
  2. Grant permissions to the AliyunECSDiskEncryptDefaultRole role (see Grant permissions to a RAM role) with the following values:

    Important

    AliyunKMSFullAccess grants full KMS permissions. For least-privilege access, use a custom policy with the following permissions:

    Field Value
    Resource Scope Account
    Policy AliyunKMSFullAccess (full KMS access) or AliyunECSDiskEncryptCustomizedPolicy (minimum required permissions)
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "kms:DescribeKey",
                    "kms:GenerateDataKey",
                    "kms:Decrypt",
                    "kms:TagResource"
                ],
                "Resource": "*"
            }
        ]
    }
  3. Click Grant permissions.

Procedure

Encryption is configured at the StorageClass level. Any persistent volume claim (PVC) that uses an encryption-enabled StorageClass is backed by an encrypted disk.

Prerequisites

Make sure that you have:

Step 1: Create an encrypted StorageClass

  1. Create a file named sc-kms.yaml with the following content, adjusting parameters as needed:

    Parameter Description
    encrypted Set to "true" to encrypt disks created by this StorageClass.
    kmsKeyId The KMS key for disk encryption. If unset, the default CMK applies. Ignored if encrypted is "false".
    type The disk type.
    fsType The file system type.
    apiVersion: storage.k8s.io/v1
    kind: StorageClass
    metadata:
      name: csi-disk-encrypted
    provisioner: diskplugin.csi.alibabacloud.com
    parameters:
        fsType: ext4
        type: cloud_essd
        encrypted: "true"
        kmsKeyId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    reclaimPolicy: Delete

    The table above describes the encryption-related parameters in the parameters section.

  2. Create the StorageClass:

    kubectl create -f sc-kms.yaml

Step 2: Create a PVC

  1. Create a file named sc-pvc.yaml with the following content:

    apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      name: disk-pvc
    spec:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: 20Gi
      storageClassName: csi-disk-encrypted
  2. Create the PVC:

    kubectl create -f sc-pvc.yaml
  3. Verify that the PVC is bound:

    kubectl get pvc

    The PVC status should be Bound. The VOLUME column shows the provisioned disk ID:

    NAME       STATUS    VOLUME                   CAPACITY   ACCESS MODES   STORAGECLASS         VOLUMEATTRIBUTESCLASS   AGE
    disk-pvc   Bound     d-2ze0nmbv2var0d9h****   20Gi       RWO            csi-disk-encrypted   <unset>                 6m20s

Step 3: Verify disk encryption

  1. Log on to the ECS console.

  2. Choose Storage & Snapshots > Block Storage.

  3. Log in to the ECS console.

  4. On the Cloud Disk tab, find the disk and click its ID.

  5. On the Basic Information tab, confirm that Encrypted appears in the Encrypted/Unencrypted field.

Next steps

See Encrypt cloud disks.