All Products
Search
Document Center

Elastic Compute Service:Encrypt cloud disks

Last Updated:Dec 09, 2024

Cloud disk encryption uses encryption algorithms to protect data stored on cloud disks from unauthorized access and data leaks. The cloud disk encryption feature can encrypt data that is written to a cloud disk and decrypt data that is read by authorized users. This prevents unauthorized users from accessing the cloud disk and decrypting the data even if the data is leaked and ensures the confidentiality and integrity of disk data. This topic describes how disk encryption works, the limits of disk encryption, and how to implement disk encryption.

Encryption

How encryption works

In Elastic Compute Service (ECS), Key Management Service (KMS) is used to encrypt cloud disks, images, and snapshots based on the Advanced Encryption Standard 256 (AES-256). KMS uses the double-key design and the envelope encryption mechanism to encrypt data. The double-key design uses customer master keys (CMKs) and data keys (DKs) generated by the CMKs for encryption and decryption. The CMKs take effect on the DKs, and the DKs take effect on business data. KMS performs the following steps to use the envelope encryption mechanism to implement encryption:

  1. Encrypt a DK.

    A CMK is used to encrypt the DK before the DK can be used. A DK encrypted in non-plaintext can be securely stored together with the encrypted business data. This way, the DK cannot be decrypted even if unauthorized users access the storage medium, because the users do not have the CMK.

  2. Store and read encrypted data.

    When encrypted data is read, a KMS request is sent to decrypt the DK. After KMS verifies the request, KMS returns a plaintext DK. The process is executed in memory, and the DK is not stored on a storage medium. The plaintext DK in the hypervisor memory is used to decrypt the data during disk I/O operations.

Note

During the envelope encryption process, the plaintext CMK is not stored or used outside the hardware security module managed by KMS. The plaintext DK is used only in the memory of the host on which a service instance resides, but is never stored on a storage medium.

For more information, see the Encryption process section of the "Overview of integration with KMS" topic.

Encryption keys

  • Key types

    KMS provides multiple types of keys for Alibaba Cloud services, such as default keys and software-protected keys. A default key can be a service key or a CMK. If you want to encrypt specific resources on an ECS instance, you can use a service key or use a CMK that you create or manage. For more information about key types, see Overview of key management.

    • Service keys

      The first time you encrypt a cloud disk in a region, the system automatically creates a service key in KMS for ECS in the region. The service key of each user is unique in each region and is created and managed by an Alibaba Cloud service. Service keys can help you obtain basic data protection capabilities. However, in scenarios that have high security requirements, issues may occur in the management of service keys. For example, you cannot manage the lifecycle of service keys.

      ECS uses the following aliases for service keys:

      • China (Hohhot), China (Ulanqab), China (Heyuan), and China (Chengdu) regions: alias/acs/ecs.

      • Other regions: Default Service CMK.

    • CMKs

      You can create or upload CMKs to KMS, manage the lifecycle of the CMKs, and use the CMKs to provide more security capabilities. You can disable or enable CMKs or import keys as CMKs in the KMS console to enhance key lifecycle management and manage the encryption and decryption of ECS data. For information about how to create and disable CMKs, see Manage a key.

  • Key specifications

    KMS supports common symmetric and asymmetric keys to ensure the security of encrypted data. When you use a CMK to encrypt a cloud disk during disk creation or when you copy an encrypted snapshot or an encrypted image, you can use only a symmetric key. For more information, see Key types and specifications.

  • Key rotation

    • In the best practices for ECS encryption, we recommend that you do not extensively reuse encryption keys. We recommend that you use the key rotation feature of KMS to enhance the security of key usage.

    • The key rotation feature takes effect only on new resources that require encryption, such as disks, snapshots, and images. The new resources are encrypted by using new key materials. The key rotation feature does not affect existing encrypted resources.

    • Only symmetric keys whose key materials are generated by KMS support rotation. Keys that use your own key materials do not support rotation.

    For more information, see Configure key rotation.

Check whether data stored on a cloud disk is encrypted

You cannot determine whether the disk encryption mechanism works on your cloud disk. To check whether data is encrypted when the data is stored on the cloud disk, perform the following steps:

  1. Select a CMK when you create an encrypted cloud disk. For more information, see the Encrypt a cloud disk section of this topic.

  2. Disable CMKs. For more information, see the Disable a key section of the "Manage a key" topic.

  3. Run the reboot command to restart the ECS instance to which the disk is attached.

After the preceding steps are performed, the CMK associated with the encrypted cloud disk becomes invalid. In this case, one of the following issues may occur: the ECS instance cannot be restarted, an I/O hang occurs on the system disk, or the cloud disk cannot be read or written. This indicates that the user data stored on the cloud disk is encrypted.

Billing

KMS provides free default keys that include service keys and CMKs. You can use the default keys without the need to purchase a KMS instance. If you want to increase the number of CMKs, use Secrets Manager, or build an application-layer cryptographic solution for self-managed applications, you must purchase a KMS instance of the software or hardware key management type. For information about the billing of KMS, see Billing.

Limits

Limit

Description

Instance type

  • You cannot encrypt system disks or configure encryption when you create data disks from snapshots for instances of the following instance families: ecs.ebmg5, ecs.ebmgn5t, ecs.ebmi3, ecs.sccg5, ecs.scch5, ecs.ebmc4, and ecs.ebmhfg5. For more information, see Overview of instance families.

  • No limits are imposed on the creation of empty data disks.

Disk category

  • Local disks cannot be encrypted.

  • Elastic ephemeral disks cannot be encrypted.

  • Cloud disks:

    • If you encrypt system disks or configure encryption when you create data disks from snapshots, the system or data disks must be Enterprise SSD (ESSD) series disks. ESSD-series disks include PL0, PL1, PL2, and PL3 ESSDs, ESSD Entry disks, ESSD AutoPL disks, and Regional ESSDs.

    • No limits are imposed on the creation of empty data disks.

CMK

  • You cannot select CMKs in the China (Nanjing - Local Region), China (Fuzhou - Local Region), Thailand (Bangkok), and South Korea (Seoul) regions.

  • The first time you select a CMK from the key drop-down list, click request required permissions to attach the AliyunECSDiskEncryptDefaultRole role to ECS and allow ECS to access KMS resources. For more information, see the Encryption permission for ECS resources section of the "Grant access to KMS keys through RAM roles" topic.

Permission policy

For enterprises that have high security compliance requirements, all Resource Access Management (RAM) users who belong to the Alibaba Cloud accounts of the enterprises require data encryption to ensure data confidentiality. ECS allows you to configure custom policies to allow RAM users to create only encrypted cloud disks. For more information, see the Custom policy that grants a RAM user the permissions to create only encrypted disks section of the "Custom policies for ECS" topic.

Considerations

  • The encryption operation is irreversible. After an encrypted cloud disk is created, the cloud disk cannot be converted into a non-encrypted disk.

  • If you delete or disable a key, the key becomes invalid. Then, the data of encrypted cloud disks, encrypted images, and encrypted snapshots may not be restored. Before you delete or disable a key, we recommend that you use the Disable Key feature to check whether the key is used for server-side encryption in Alibaba Cloud services. You can also use the Check feature to check whether the key is used for server-side encryption in Alibaba Cloud services. This prevents the failure to restore data if the key is missing.

    Warning

    Take note that if keys become invalid due to the operations that you perform, you are responsible for the risk that data stored on the associated cloud disks may not be restored.

Encrypt a cloud disk

Encrypt a cloud disk when you create an ECS instance or a cloud disk

Use the ECS console

  • Encrypt a cloud disk when you create an ECS instance

    The following steps describe only how to encrypt the system disk or a data disk when you create an ECS instance. For information about other configurations, see Create an instance on the Custom Launch tab.

    1. In the Storage section, select a disk category and specify the disk size for each disk, including the system disk and data disks (if any).

    2. Select Encryption and then select an encryption key from the drop-down list.

      image

  • Encrypt a cloud disk when you create the cloud disk

    The following steps describe only how to configure the disk encryption settings when you create a cloud disk. For information about other configurations of the cloud disk, see Create an empty data disk.

    1. In the Cloud Disk section, select a disk category and specify the disk size.

    2. Select Disk Encryption and then select an encryption key from the drop-down list.

      image

Note
  • When you select an encryption key, you can select the region-specific service key or a CMK that is created in KMS from the drop-down list. For information about encryption keys, see the Encryption keys section of this topic. Before you select a CMK, take note that the CMK must meet the region and permission requirements. For more information, see the Limits section of this topic.

  • If you select Create from Snapshot, take note that the instance family and disk category must meet the requirements before you can select Encryption. For more information, see the Limits section of this topic.

Call API operations

  • Encrypt a cloud disk when you create an ECS instance

    When you call the RunInstances operation to create an ECS instance, you can specify the Encrypted and KMSKeyId values for the SystemDisk or DataDisk parameter to encrypt the system disk or data disk.

  • Encrypt a cloud disk when you create the cloud disk

    When you call the CreateDisk operation to create a data disk, you can specify the Encrypted and KMSKeyId values to encrypt the data disk.

Convert existing non-encrypted cloud disks to encrypted cloud disks

To encrypt existing system disks or data disks, you can use one of the following methods:

Use the ECS console

  • Encrypt a system disk

    1. Create an image for an ECS instance. For more information, see Create a custom image from an instance.

    2. Copy the image as an encrypted image. For more information, see Copy a custom image.

    3. Encrypt the system disk based on the encrypted image.

      • If you use the encrypted image to replace the system disk of the source ECS instance, the system disk of the source ECS instance is automatically encrypted. For more information, see Replace the operating system of an instance.

      • If you use the encrypted image to create an ECS instance, the system disk and data disks (if any) of the new ECS instance are automatically encrypted. For more information, see Create an instance by using a custom image.

  • Encrypt a data disk

    1. Create a snapshot for a data disk. For more information, see Create a snapshot.

    2. Copy the snapshot as an encrypted snapshot. For more information, see Copy a snapshot.

    3. Create a cloud disk from the encrypted snapshot. Data on the new cloud disk is automatically encrypted. For more information, see Create a disk from a snapshot.

    4. Attach the created encrypted cloud disk to the source ECS instance. For more information, see Attach a data disk.

Use OOS

You can use a public template named ACS-ECS-BulkyEncryptSystemDisk provided by CloudOps Orchestration Service (OOS) to encrypt the system disks of multiple ECS instances at a time. For more information, see Encrypt system disks of multiple ECS instances at a time.

Note

CloudOps Orchestration Service (OOS) is a comprehensive and automated O&M service provided by Alibaba Cloud free of charge to help you manage and execute O&M tasks in the cloud. OOS also serves as a standardization platform for O&M tasks and allows you to perform operations as code. For more information, see What is OOS? For information about OOS public templates, see Public Templates.