Use disk encryption to automatically encrypt data written to disks and decrypt it on read. With KMS-managed keys, you can encrypt cluster disk volumes without building your own key management infrastructure. This topic explains how to configure a StorageClass with KMS to encrypt disk volumes at rest.
Covers workload data volume encryption via a StorageClass. Does not cover node root volume encryption.
How encryption works
Alibaba Cloud disks use AES-256 encryption managed by KMS. KMS implements a two-tier key hierarchy — customer master keys (CMKs) and data keys (DKs) — using envelope encryption:
-
Encrypt a data key. KMS encrypts the DK with the CMK. The encrypted DK is stored alongside the encrypted data and cannot be decrypted without the CMK.
-
Store and read encrypted data. When encrypted data is read, KMS decrypts the DK after verifying the request. The plaintext DK exists only in memory during disk I/O and is never written to storage.
The plaintext CMK never leaves the hardware security module managed by KMS. The plaintext DK exists only in hypervisor memory and is never stored on disk.
See Encryption process.
Data types that can be encrypted
Supported disk types
The following disk types support encryption:
| Disk type | Encryption supported |
|---|---|
| Enterprise SSDs (ESSDs) | Yes |
| ESSD AutoPL disks | Yes |
| ESSD Entry disks | Yes |
| Standard SSDs | Yes |
| Ultra disks | Yes |
| Basic disks | Yes |
| Local disks | No |
Limitations
-
Encryption can only be set during disk creation and cannot be changed afterward. Mounting and unmounting do not affect encryption.
-
Converting an unencrypted disk to encrypted, or an encrypted disk to unencrypted, is not supported.
Authorize ECS to access KMS
Grant Elastic Compute Service (ECS) access to KMS by setting up the AliyunECSDiskEncryptDefaultRole RAM role.
-
Create the RAM role (see Create a RAM role for a trusted Alibaba Cloud service) with the following values:
If the
AliyunECSDiskEncryptDefaultRolerole already exists, skip this step.Field Value Principal Type Cloud Service Principal Name Elastic Compute Service Role Name AliyunECSDiskEncryptDefaultRole -
Grant permissions to the
AliyunECSDiskEncryptDefaultRolerole (see Grant permissions to a RAM role) with the following values:ImportantAliyunKMSFullAccessgrants full KMS permissions. For least-privilege access, use a custom policy with the following permissions:Field Value Resource Scope Account Policy AliyunKMSFullAccess(full KMS access) orAliyunECSDiskEncryptCustomizedPolicy(minimum required permissions){ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:GenerateDataKey", "kms:Decrypt", "kms:TagResource" ], "Resource": "*" } ] } -
Click Grant permissions.
Procedure
Encryption is configured at the StorageClass level. Any persistent volume claim (PVC) that uses an encryption-enabled StorageClass is backed by an encrypted disk.
Prerequisites
Make sure that you have:
-
The Container Storage Interface (CSI) add-on (csi-plugin and csi-provisioner) is installed. Verify under Operations > Add-ons > Storage. See Update csi-plugin and csi-provisioner.
If your cluster uses FlexVolume, migrate to CSI before proceeding. FlexVolume is no longer supported. See Upgrade from FlexVolume to CSI.
-
The
AliyunECSDiskEncryptDefaultRoleRAM role configured with KMS permissions (see Authorize ECS to access KMS)
Step 1: Create an encrypted StorageClass
-
Create a file named
sc-kms.yamlwith the following content, adjusting parameters as needed:Parameter Description encryptedSet to "true"to encrypt disks created by this StorageClass.kmsKeyIdThe KMS key for disk encryption. If unset, the default CMK applies. Ignored if encryptedis"false".typeThe disk type. fsTypeThe file system type. apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: csi-disk-encrypted provisioner: diskplugin.csi.alibabacloud.com parameters: fsType: ext4 type: cloud_essd encrypted: "true" kmsKeyId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx reclaimPolicy: DeleteThe table above describes the encryption-related parameters in the
parameterssection. -
Create the StorageClass:
kubectl create -f sc-kms.yaml
Step 2: Create a PVC
-
Create a file named
sc-pvc.yamlwith the following content:apiVersion: v1 kind: PersistentVolumeClaim metadata: name: disk-pvc spec: accessModes: - ReadWriteOnce resources: requests: storage: 20Gi storageClassName: csi-disk-encrypted -
Create the PVC:
kubectl create -f sc-pvc.yaml -
Verify that the PVC is bound:
kubectl get pvcThe PVC status should be
Bound. TheVOLUMEcolumn shows the provisioned disk ID:NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS VOLUMEATTRIBUTESCLASS AGE disk-pvc Bound d-2ze0nmbv2var0d9h**** 20Gi RWO csi-disk-encrypted <unset> 6m20s
Step 3: Verify disk encryption
-
Log on to the ECS console.
-
Choose Storage & Snapshots > Block Storage.
Log in to the ECS console.
-
On the Cloud Disk tab, find the disk and click its ID.
-
On the Basic Information tab, confirm that Encrypted appears in the Encrypted/Unencrypted field.
Next steps
See Encrypt cloud disks.