Encrypt cloud disks to protect disk data - Elastic Compute Service

Cloud disk encryption uses encryption algorithms to protect data stored on cloud disks from unauthorized access and data leaks. The cloud disk encryption feature can encrypt data that is written to a cloud disk and decrypt data that is read by authorized users. This prevents unauthorized users from accessing the cloud disk and decrypting the data even if the data is leaked and ensures the confidentiality and integrity of disk data. This topic describes how disk encryption works, the limits of disk encryption, and how to implement disk encryption.

Encryption

How encryption works

In Elastic Compute Service (ECS), Key Management Service (KMS) is used to encrypt cloud disks, images, and snapshots based on the Advanced Encryption Standard 256 (AES-256). KMS uses the double-key design and the envelope encryption mechanism to encrypt data. The double-key design uses customer master keys (CMKs) and data keys (DKs) generated by the CMKs for encryption and decryption. The CMKs take effect on the DKs, and the DKs take effect on business data. KMS performs the following steps to use the envelope encryption mechanism to implement encryption:

Encrypt a DK.
A CMK is used to encrypt the DK before the DK can be used. A DK encrypted in non-plaintext can be securely stored together with the encrypted business data. This way, the DK cannot be decrypted even if unauthorized users access the storage medium, because the users do not have the CMK.
Store and read encrypted data.
When encrypted data is read, a KMS request is sent to decrypt the DK. After KMS verifies the request, KMS returns a plaintext DK. The process is executed in memory, and the DK is not stored on a storage medium. The plaintext DK in the hypervisor memory is used to decrypt the data during disk I/O operations.

Note

During the envelope encryption process, the plaintext CMK is not stored or used outside the hardware security module managed by KMS. The plaintext DK is used only in the memory of the host on which a service instance resides, but is never stored on a storage medium.

For more information, see the Encryption process section of the "Overview of integration with KMS" topic.

Encryption keys

The default keys of KMS include service keys and CMKs. By default, ECS uses a service key to encrypt user data. You can also create a custom CMK in KMS to encrypt user data. For information about keys, see Overview of key management.

Service keys
The first time you encrypt a cloud disk in a region, the system automatically creates a Default Service CMK whose alias is alias/acs/ecs for ECS in KMS. The service key of each user in each region is unique. You cannot manage the lifecycle of the service key. Service keys can help you obtain basic data protection capabilities. However, in scenarios with high security requirements, issues may occur in the management of service keys. For example, you cannot manage the lifecycle of service keys.
CMKs
You can create or upload CMKs to KMS, manage the lifecycle of the CMKs, and use the CMKs to provide more security capabilities. You can disable or enable CMKs or import your CMKs in the KMS console to enhance key lifecycle management and manage the encryption and decryption of ECS data. CMKs support key rotation. This enhances the security of key usage and improves the security of business data. For information about how to disable CMKs and how to delete CMKs on schedule, see the "Disable a key" and "Schedule deletion of a key" sections of the Manage a key topic.
Important
Asymmetric keys are not supported when you use a CMK to encrypt a cloud disk during disk creation or when you copy an encrypted snapshot or an encrypted image. For more information, see Key types and specifications.

Check whether data stored on a cloud disk is encrypted

You cannot determine whether the disk encryption mechanism works on your cloud disk. To check whether data is encrypted when the data is stored on the cloud disk, perform the following steps:

Select a CMK when you create an encrypted cloud disk. For more information, see the Encrypt a cloud disk section of this topic.
Disable CMKs. For more information, see the Disable a key section of the "Manage a key" topic.
Run the reboot command to restart the ECS instance to which the disk is attached.

After the preceding steps are performed, the CMK associated with the encrypted cloud disk becomes invalid. In this case, one of the following issues may occur: the ECS instance cannot be restarted, an I/O hang occurs on the system disk, or the cloud disk cannot be read or written. This indicates that the user data stored on the cloud disk is encrypted.

Billing

KMS provides free default keys that include service keys and CMKs. You can use the default keys without the need to purchase a KMS instance. If you want to increase the number of CMKs, use Secrets Manager, or build an application-layer cryptographic solution for self-managed applications, purchase a KMS instance of the software or hardware key management type. For information about the billing of KMS, see Billing.

Limits

Limit	Description
Instance type	You cannot use the following instance families to encrypt system disks or configure encryption when you create a cloud disk from a snapshot: ecs.ebmg5, ecs.ebmgn5t, ecs.ebmi3, ecs.sccg5, ecs.scch5, ecs.ebmc4, and ecs.ebmhfg5. For more information, see Overview of instance families. No limits are imposed on the creation of empty data disks.
Disk category	Local disks cannot be encrypted. The following categories of system disks can be encrypted: Enterprise SSD (ESSD), ESSD Entry disk, and ESSD AutoPL disk. Data disks: No limits are imposed on the creation of empty data disks. You can configure encryption when you create one of the following categories of cloud disks from snapshots: ESSD, ESSD Entry disk, and ESSD AutoPL disk.
CMK	You cannot select CMKs in the China (Nanjing - Local Region), China (Fuzhou - Local Region), Thailand (Bangkok), and South Korea (Seoul) regions. The first time you select a CMK from the key drop-down list, click request required permissions to attach the `AliyunECSDiskEncryptDefaultRole` role to ECS and grant ECS access to KMS resources. For more information, see the Encryption permission for ECS resources section of the "Grant access to KMS keys through RAM roles" topic.
Permission policy	For enterprises that have high security compliance requirements, all Resource Access Management (RAM) users who belong to the Alibaba Cloud accounts of the enterprises require data encryption to ensure data confidentiality. ECS allows you to configure custom permission policies to allow RAM users to create only encrypted cloud disks. For more information, see the Custom policy that grants a RAM user the permissions to create only encrypted disks section of the "Custom policies for ECS" topic.

Considerations

The encryption operation is irreversible. After an encrypted cloud disk is created, the cloud disk cannot be converted into a non-encrypted disk.
If you delete or disable a key, the key becomes invalid. Then, the data of encrypted cloud disks, encrypted images, and encrypted snapshots may not be restored. Before you delete or disable a key, we recommend that you use the Disable Key feature to check whether the key is used for server-side encryption in Alibaba Cloud services. You can also use the Check feature to check whether the key is used for server-side encryption in Alibaba Cloud services. This prevents the failure to restore data if the key is missing.
Warning
Take note that if keys become invalid due to the operations that you perform, you are responsible for the risk that data stored on the associated cloud disks may not be restored.

Encrypt a cloud disk

Encrypt a cloud disk when you create an ECS instance or a cloud disk

Use the ECS console

Encrypt a cloud disk when you create an ECS instance
The following steps describe only how to encrypt the system disk or a data disk when you create an ECS instance. For information about other configurations, see Create an instance on the Custom Launch tab.
1. In the Storage section, select a disk category and specify the disk size.
2. Select Encryption and then select an encryption key from the drop-down list.
Encrypt a cloud disk when you create the cloud disk
The following steps describe only how to configure the disk encryption settings when you create a cloud disk. For information about other configurations of the cloud disk, see Create a disk.
1. In the Storage section, select a disk category and specify the disk size.
2. Select Disk Encryption and then select an encryption key from the drop-down list.

Note

When you select an encryption key in the ECS console, you can select Default Service CMK or a CMK that is created in KMS from the drop-down list. For information about encryption keys, see the Encryption keys section of this topic. Before you select a CMK, take note that the CMK must meet the region and permission requirements. For more information, see the Limits section of this topic.
If you select Create from Snapshot, take note that the instance family and disk category must meet the requirements before you can select Disk Encryption. For more information, see the Limits section of this topic.

Call API operations

Encrypt a cloud disk when you create an ECS instance
When you call the RunInstances operation to create an ECS instance, you can specify the Encrypted and KMSKeyId values for the SystemDisk or DataDisk parameter to encrypt the system disk or data disk.
Encrypt a cloud disk when you create the cloud disk
When you call the CreateDisk operation to create a data disk, you can specify the Encrypted and KMSKeyId values to encrypt the data disk.

Convert existing non-encrypted cloud disks to encrypted cloud disks

To encrypt existing system disks or data disks, you can use one of the following methods:

Use the ECS console

Encrypt a system disk
1. Create an image for an ECS instance. For more information, see Create a custom image from an instance.
2. Copy the image as an encrypted image. For more information, see Copy a custom image.
3. Encrypt the system disk based on the encrypted image.
  - If you use the encrypted image to replace the system disk of the source ECS instance, the system disk of the source ECS instance is automatically encrypted. For more information, see Replace the operating system of an instance.
  - If you use the encrypted image to create an ECS instance, the system disk and data disks (if any) of the new ECS instance are automatically encrypted. For more information, see Create an instance by using a custom image.
Encrypt a data disk
1. Create a snapshot for a data disk. For more information, see Create a snapshot for a disk.
2. Copy the snapshot as an encrypted snapshot. For more information, see Copy a snapshot.
3. Create a cloud disk from the encrypted snapshot. Data on the new cloud disk is automatically encrypted. For more information, see Create a disk from a snapshot.
4. Attach the created encrypted cloud disk to the source ECS instance. For more information, see Attach a data disk.

Use OOS

You can use a public template named ACS-ECS-BulkyEncryptSystemDisk provided by CloudOps Orchestration Service (OOS) to encrypt the system disks of multiple ECS instances at a time. For more information, see Encrypt system disks of multiple ECS instances at a time.

Note

CloudOps Orchestration Service (OOS) is a comprehensive and automated O&M service provided by Alibaba Cloud free of charge to help you manage and execute O&M tasks in the cloud. OOS also serves as a standardization platform for O&M tasks and allows you to perform operations as code. For more information, see What is OOS? For information about OOS public templates, see Public Templates.