After you enable the disk encryption feature, the system automatically encrypts data transmitted to a disk and decrypts the data when it is read. Disk encryption is suitable for scenarios that require high security or have compliance requirements. You can protect the privacy and autonomy of your data without the need to create and maintain a key management infrastructure. This topic describes how to use the keys that are hosted in Key Management Service (KMS) to encrypt data stored in disk volumes.
Prerequisites
An ACK cluster is created. For more information, see Create an ACK managed cluster.
Key Management Service (KMS) is activated. For more information, see Purchase a dedicated KMS instance.
A kubectl client is connected to the ACK cluster. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.
If you want to use keys created by using the Bring Your Own Key (BYOK) feature, you must first authorize your ECS instance to access KMS. For more information, see (Optional) Step 1: Authorize your ECS instance to access KMS.
Overview
ECS uses the industry-standard AES-256 algorithm to encrypt disks with keys. Encryption keys can be the service keys provided by KMS or your own keys created by using the BYOK feature. Encryption and decryption have minimal impacts on ECS instance performance. The following types of data are encrypted when you create an encrypted disk and attach it to an ECS instance. The data is decrypted when it is read. For more information, see Encrypt a data disk.
Static data stored on the encrypted disk.
Data transmitted between the encrypted disk and the instance, excluding data in the operating system.
Data transmitted from the ECS instance to a backend storage cluster.
All snapshots created from the encrypted disk. These snapshots have the same encryption key as the disk.
All disks created from the encrypted snapshots.
Limits
You can encrypt the following categories of disks: enhanced SSDs, standard SSDs, ultra disks, and basic disks.
You cannot encrypt data in local disks.
You cannot directly convert unencrypted disks into encrypted disks.
You cannot directly convert encrypted disks into unencrypted disks.
(Optional) Step 1: Authorize your ECS instance to access KMS
If you want to use keys that are created by using the BYOK feature, you must first authorize your ECS instance to access KMS. To do this, create a Resource Access Management (RAM) role and grant the required permissions to the role. To grant the required permission to a RAM user, perform the following operations:
Create a RAM role for accessing KMS. If the
AliyunECSDiskEncryptDefaultRole
role already exists, authorize permissions to it.Log on to the Resource Access Management (RAM) console with an Alibaba Cloud account or a RAM administrator account.
In the left-side navigation pane, choose .
On the Roles page, click Create Role.
On the Create Role page, select Alibaba Cloud Service in the Select Trusted Entity section and click Next.
Select Normal Service Role for the Role Type parameter.
Enter AliyunECSDiskEncryptDefaultRole in the RAM Role Name field and select Elastic Compute Service as the trusted service.
Click OK and then click Close.
Grant permissions to the RAM role created in the previous step.
In the left-side navigation pane, choose
. Then, click Grant Permission.In the Grant Permission panel, select Account as the Resource Scope. Enter AliyunECSDiskEncryptDefaultRole in the Principal field and select the role.
Select the system policy AliyunKMSFullAccess or create a custom policy named AliyunECSDiskEncryptCustomizedPolicy based on your business requirements.
ImportantThe
AliyunKMSFullAccess
policy grants full permissions. If you require finer-grained access control, perform the following steps to create a custom policy named AliyunECSDiskEncryptCustomizedPolicy.
In the Create Policy dialog, enter the policy name and click OK.
Step 2: Configure disk volume encryption
You can enable disk encryption only when you create a disk. When you mount or unmount a disk, no encryption-related operations are involved.
Create a StorageClass.
Create a file named sc-kms.yaml and copy the following code to the file:
apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: csi-disk-encrypted provisioner: diskplugin.csi.alibabacloud.com parameters: fsType: ext4 type: cloud_ssd encrypted: "true" kmsKeyId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx reclaimPolicy: Delete
Noteencrypted
: specifies whether to create an encrypted disk. A value oftrue
specifies that the StorageClass is used to create an encrypted disk.kmsKeyId
: specifies the KMS key that is used to encrypt the disk. If you do not set this parameter, the default customer master key (CMK) is used. If theencrypted
parameter is set tofalse
, this parameter does not take effect.
Run the following command to create a StorageClass:
kubectl create -f sc-kms.yaml
Run the following command to query the StorageClass:
kubectl get sc csi-disk-encrypted
Expected output:
NAME PROVISIONER AGE csi-disk-encrypted diskplugin.csi.alibabacloud.com 9m5s
Create a persistent volume claim (PVC).
Create a file named sc-pvc.yaml and add the following content to the file:
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: disk-pvc spec: accessModes: - ReadWriteOnce resources: requests: storage: 20Gi storageClassName: csi-disk-encrypted
Run the following command to create a PVC:
kubectl create -f sc-pvc.yaml
Run the following command to query the PVC:
kubectl get pvc
Expected output:
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE disk-pvc Bound d-wz92s6d95go6ki9x**** 25Gi RWO csi-disk-encrypted 10m
Run the following command to query the persistent volume (PV) that is bound to the PVC:
kubectl get pv
Expected output:
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE d-wz92s6d95go6ki9x**** 25Gi RWO Retain Bound default/disk-pvc csi-disk-encrypted 10m
The preceding output shows that a disk is created and the disk ID is d-wz92s6d95go6ki9x****.
Check whether the disk is encrypted.
Log on to the ECS console.
In the left-side navigation pane, choose .
On the Disks page, verify that the d-wz92s6d95go6ki9x**** disk is in the Encrypted state.