All Products
Search
Document Center

Elastic Container Instance:Encrypt temporary storage space

Last Updated:Nov 13, 2023

Elastic Container Instance allows you to encrypt the temporary storage space of an elastic container instance to protect sensitive image or business data or to comply with regulations. This way, your data stays secure and intact against unauthorized access or leakage. This topic describes how to encrypt the temporary storage space of an elastic container instance.

Feature description

By default, each elastic container instance provides 30 GiB of temporary storage space to store container images that are used to launch instances and business data that is generated during instance running. You can increase the size of the storage space based on your business requirements. Elastic Container Instance allows you to encrypt the temporary storage space to protect sensitive image or business data or to comply with regulations. This way, your data stays secure and intact against unauthorized access or leakage.

If you enable the encryption feature when you create an elastic container instance, Elastic Container Instance automatically encrypts data in the temporary storage space and decrypts data when you read the data. The encryption feature uses the industry-standard AES-256 algorithm and the service keys (default keys) that are provided by Alibaba Cloud Key Management Service (KMS) to encrypt data.

Prerequisites

KMS is activated. For more information, see Purchase a dedicated KMS instance.

Note

After you activate KMS, the system automatically creates and manages service keys. You can use the service keys free of charge.

Usage notes

The encryption method that is described in this topic does not apply to elastic container instances that are created by using manually created image caches.

Configuration description

You can add the following annotation to the metadata of an elastic container instance to encrypt the temporary storage space.

Annotation

Example

Description

k8s.aliyun.com/eci-ephemeral-storage-options

"{\"encrypted\":\"true\"}"

The setting of "{\"encrypted\":\"true\"}"} indicates that the encryption feature is enabled.

Important
  • Annotations must be added to the metadata in the configuration file of the pod. For example, when you create a Deployment, you must add annotations in the spec.template.metadata section.

  • To use features of Elastic Container Instance, you can add annotations only when you create Elastic Container Instance-based pods. If you add or modify annotations when you update pods, these annotations do not take effect.

Configuration example

The following sample code provides an example on how to add an annotation to encrypt the temporary storage space of an elastic container instance for a Deployment. In this example, data in the temporary storage space is automatically encrypted and decrypted when the data is read.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: kms-test
  labels:
    app: test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: test
  template:
    metadata:
      name: kms-test
      labels:
        app: test
        alibabacloud.com/eci: "true"
      annotations:
        k8s.aliyun.com/eci-ephemeral-storage-options: "{\"encrypted\":\"true\"}" # Encrypt the temporary storage space.
    spec:
      containers:
      - name: test
        image: registry-vpc.cn-beijing.aliyuncs.com/eci_open/nginx:1.4.2