Cloud Server ECS ＞ Block Storage ＞ Encrypted Cloud Disk ＞ Overview of Encryption

Encryption overview

Updated: 2020-10-23 09:50:32

Edit my collection

Contents of this page

• Features
• Key
• Billing
• Use restrictions

Data encryption is suitable for scenarios such as data security or regulatory compliance, and helps you encrypt and protect data stored on Alibaba Cloud ECS. Without the need to build and maintain your own key management infrastructure, you can protect the privacy and autonomy of your data and provide a secure boundary for business data. The encrypted cloud disk can be a system disk and a data disk.

Features

ECS encryption adopts the industry standard AES-256 encryption algorithm, and uses a key to encrypt cloud disks. The key can be a service key and a common key (BYOK). In the process of encryption and decryption, the performance of the instance hardly decays.

• After creating an ECS instance using an encrypted system disk (or image), the data in the operating system of the ECS instance will be automatically encrypted and automatically decrypted when the data is read. For specific steps, see Encrypting the System Disk .
• After creating an encrypted data disk and mounting it to an ECS instance, the following data will be automatically encrypted and automatically decrypted when the data is read. For specific steps, see Encrypted Data Disk .
  • Encrypt the static data in the cloud disk.
  • Encrypt the data transferred between the cloud disk and the instance (not including the data in the operating system).
  • The encrypted cloud disk transfers the data from the instance to the back-end storage cluster.
  • All snapshots created from encrypted cloud disks, and the encryption key of the snapshot remains the same as the encryption key of the cloud disk.
  • All cloud disks created from encrypted snapshots.

Key

The ECS cloud disk encryption function uses the service key to encrypt user data by default, and it also supports the use of user-selected keys to encrypt user data. In the cloud disk encryption mechanism, each cloud disk has a corresponding user master key (CMK) and data key (DK), and the user data is encrypted through the envelope encryption mechanism. In the envelope encryption mechanism, the CMK is protected by the key management infrastructure provided by the Key Management Service (KMS), and implements strong physical and logical security protection. Cloud products must be authorized by the appropriate user before they can use the corresponding CMK to generate DK for the encryption of business data. Only through user authorization can the corresponding CMK be used to decrypt the ciphertext of the DK for business data. Decrypted. The plaintext of DK will only be used in the memory of the host where the ECS instance you use is located, and will not be stored in plaintext on permanent media.

When encrypting a cloud disk, the CMK you can choose includes the following types.

Types of	Description	source	Applicable scene
Service key, the following picture①	After KMS is activated, when you use the encryption function for the first time in a region, KMS automatically creates a CMK for ECS in the region, the key alias is acs/ecs, and the service key does not support deletion and disabling operations.	The default key provided by KMS (Default Service CMK)	Convenient and fast. For more details, please refer to What is Key Management Service
Ordinary key, the following figure②	Encryption keys created by you yourself, you have full management authority for this type of key, including the ability to create, rotate and disable keys, define access control, etc.	Source 1: The key you created in KMS Source 2: You created the key in KMS and imported the key material yourself (BYOK)	Improve operational flexibility and increase the number of keys

Billing

The cost information involved in the encrypted function or operation is shown in the table below. Items involving billing require you to ensure that the payment method has sufficient balance, otherwise the operation will fail.

Function or operation	Whether billing
Encrypt system disk and data disk	no
Use the service key provided by KMS	no
CMK created by you on KMS (including BYOK)	Yes
Read and write operations on cloud disks, including mounting partitions (mount), unmounting partitions (umount), creating partitions, formatting file systems, etc.	no
Management operations for cloud disks include the following types. Create encrypted cloud disk ( RunInstances , CreateInstance or CreateDisk ) Attach a cloud disk ( AttachDisk ) Create a snapshot ( CreateSnapshot ) Uninstall cloud disk ( DetachDisk ) Roll back cloud disk ( ResetDisk ) Reinitialize the cloud disk ( ReInitDisk ) Note that  whether it is through the ECS management console or through the API, management operations will be recorded in the form of API to the number of KMS service API calls you have made in the region.	For details, see the billing instructions in the "Key Management Service Document" .

Use restrictions

• Data disks that support encryption include ESSD cloud disks, SSD cloud disks, high-efficiency cloud disks and ordinary cloud disks.
• System disks that support encryption include ESSD cloud disks, SSD cloud disks, and high-efficiency cloud disks.
• Does not support encrypted local disks.
• When encrypting a system disk, it can only be encrypted when copying a custom image. After encryption, the following operations are not supported:
  • Convert an encrypted image to a non-encrypted image.
  • Copy encrypted images across regions.
  • Shared encrypted image.
  • Export the encrypted image.
• Non-encrypted cloud disks cannot be directly converted into encrypted cloud disks.
• Encrypted cloud disks cannot be directly converted to non-encrypted cloud disks.