Encrypt custom images

更新时间:
复制 MD 格式

Custom images are based on snapshots, allowing you to use their encryption features. This topic describes how to use custom image encryption to change the encryption status of disks and snapshots, or to rotate encryption keys.

You can encrypt custom images in two main scenarios:

  • Create an instance: When you create an ECS instance, you can use an encrypted image to create encrypted disks. You can also use an unencrypted image and enable encryption during instance creation.

  • Copy an image: When you copy an image, you can encrypt an unencrypted one or re-encrypt an existing one with a new key.

Note

An encrypted image is a custom image associated with one or more encrypted snapshots.

Encryption is an irreversible process. You can encrypt an unencrypted resource or re-encrypt an encrypted resource, but you cannot decrypt an encrypted resource. For more information about how encryption works and about encryption keys, see Encryption overview.

Create instances with encrypted disks

When you create an instance, you can use an encrypted image to create encrypted disks. You can also create encrypted disks by enabling encryption when you use an unencrypted image that contains snapshots for a system disk, data disks, or both.

image
  • Create encrypted disks from an unencrypted image (unencrypted to encrypted)

    When you create an ECS instance from an unencrypted image, you can create encrypted disks by enabling encryption for each disk. To do this, set the Encrypted parameter to true and specify an encryption key with the KMSKeyId parameter. If you enable encryption but do not specify an encryption key, the disk is encrypted with a service key.

  • Create encrypted disks from an encrypted image (encrypted to encrypted)

    When you create an ECS instance from an encrypted image, disks that correspond to encrypted snapshots in the image are encrypted by default. This setting cannot be disabled. In API calls, you must set the Encrypted parameter to true. You can also specify a different encryption key for these disks with the KMSKeyId parameter.

    • When you use an encrypted custom image, you can specify an encryption key for the disks that correspond to the encrypted snapshots with the KMSKeyId parameter. If you have enabled account-level default encryption for Elastic Block Storage and configured a default key, the default key takes precedence. If no default key is configured, a service key is used.

    • When you use a shared encrypted image, you (the recipient) can specify an encryption key for the disks that correspond to the encrypted snapshots with the KMSKeyId parameter. If you have enabled account-level default encryption for Elastic Block Storage and configured a default key, the default key takes precedence. If no default key is configured, a service key is used.

Console

On the instance buy page, enable encryption for the disk and select an encryption key.

For Encryption Key, select Default Service CMK.

API

Call the RunInstances or CreateInstance operation to create an instance with encrypted disks.

When you create an ECS instance from a shared encrypted image, you must set the Encrypted parameter to true. Otherwise, the API call fails.

Encrypt an image by copying

When you copy an image, you can choose to encrypt the copy. This lets you encrypt an unencrypted image or re-encrypt an existing encrypted image. The encryption applies to all snapshots associated with the image.

  • Copy an unencrypted image to an encrypted image (unencrypted to encrypted)

    image

    When you copy an unencrypted image, which is an image with no encrypted snapshots, you can choose to encrypt the copy by setting the Encrypted parameter to true. You can also specify an encryption key for all snapshots in the image with the KMSKeyId parameter. If you do not specify an encryption key, all associated snapshots are encrypted with a service key.

  • Copy an encrypted image to another encrypted image (encrypted to encrypted)

    image

    When you copy an encrypted image, which is an image that contains encrypted snapshots, the copy must also be encrypted by setting the Encrypted parameter to true. You can also specify a new encryption key for all snapshots in the image with the KMSKeyId parameter to re-encrypt them. If you do not specify an encryption key, any unencrypted snapshots are encrypted with a service key, and encrypted snapshots retain their original encryption keys.

Console

On the Images page in the ECS console, set the copy type to Encrypted Copy, and specify a Destination Region and an Encryption Key. For more information, see Copy and encrypt a custom image.

API

Call the CopyImage operation to copy and encrypt an image.

Related topics

  • You can share encrypted images with other Alibaba Cloud accounts. The recipient can use the shared image to create ECS instances in the same region. For more information, see Share a custom image.

  • A custom image created from an encrypted snapshot is encrypted by default and inherits the encryption key from the source snapshot. For more information, see Create a custom image from a snapshot.