Use cases, limitations, and procedures for ECS data encryption-Elastic Compute Service(ECS)-阿里云帮助中心

Encrypt system disks, data disks, snapshots, and images to protect data at rest on ECS.

Prerequisites

A Key Management Service (KMS) instance is created and enabled. For more information, see Purchase and enable a KMS instance.

Background

ECS cloud disk encryption uses a service key by default, or a customer master key (CMK) you specify. It applies envelope encryption: a data key (DK) encrypts your data and a CMK encrypts the data key. See Encrypted disks.

Usage notes

Key usage considerations:

Key type	Notes
Service key	Unique per user per region. Cannot be deleted or disabled.
Bring Your Own Key (BYOK)	The first time you use a CMK to encrypt a cloud disk, click Go to Authorize and grant the `AliyunECSDiskEncryptDefaultRole` role to ECS so it can access your KMS resources. When you create a key in KMS, select the Aliyun_AES_256 or Aliyun_SM4 key type. ECS does not support other key types for encrypted cloud disks. Before you delete or disable a BYOK key, unmount or replace all associated cloud disks to prevent data loss and startup failures. To find associated disks, call the DescribeDisks API operation. A deleted BYOK key cannot be recovered, and data keys encrypted with it cannot be decrypted. Disable a key and verify it is not associated with any cloud resources before you delete it. Warning If a key is disabled or deleted, data on the associated encrypted cloud disks, encrypted images, and encrypted snapshots cannot be recovered. Disclaimer: You are responsible for any data loss that results from disabling or deleting a key, which makes data on associated cloud resources unrecoverable.

Encrypt a system disk

A system disk holds the operating system and shares the lifecycle of its ECS instance. You can encrypt a system disk only when you create an instance.

Limitations

Limitation	Description
Instance family	The following instance families do not support encryption: ecs.ebmg5, ecs.ebmgn5t, ecs.ebmi3, ecs.sccg5, ecs.scch5, ecs.ebmc4, and ecs.ebmhfg5. See Instance families.
Cloud disk type	Only ESSD series cloud disks support encryption: ESSD PL0/PL1/PL2/PL3, ESSD Entry, ESSD AutoPL, and zone-redundant ESSD.

Procedure

See Create an encrypted cloud disk.

Encrypt a data disk

You can encrypt a data disk when you create an instance or a standalone cloud disk.

Limitations

These limitations apply when you select Create from Snapshot and enable the Encrypt option.

Limitation	Description
Instance family	The following instance families do not support encryption: ecs.ebmg5, ecs.ebmgn5t, ecs.ebmi3, ecs.sccg5, ecs.scch5, ecs.ebmc4, and ecs.ebmhfg5. See Instance families.
Cloud disk type	Only ESSD series cloud disks support encryption: ESSD PL0/PL1/PL2/PL3, ESSD Entry, ESSD AutoPL, and zone-redundant ESSD.

Procedure

See Create an encrypted cloud disk.

Encrypt a snapshot

Snapshots from encrypted cloud disks are automatically encrypted.

Procedure

See Create a snapshot.

Copy an encrypted image

Copy an image across regions or change its encryption status. Use the encrypted copy to create ECS instances with the same environment.

Limitations

Limitation	Description
Region restriction	An Alibaba Cloud account can copy an image to up to five destination regions.
Image type	The source image can be encrypted or unencrypted.

Procedure

See Copy a custom image.

Share an encrypted image

Share encrypted custom images with other Alibaba Cloud accounts so they can create instances with the same environment.

Limitations

To share a service-key-encrypted image, first copy the image and encrypt the copy with a CMK, then share the copy.

See Share a custom image.