Help Center/ Cloud Container Engine/ User Guide/ Storage/ EVS/ Encrypting EVS Disks

Updated on 2025-09-15 GMT+08:00

View PDF

Encrypting EVS Disks

Encrypting cloud disks ensures data privacy and control, making it ideal for scenarios that demand high security or compliance standards. This section describes how to use the keys managed by Data Encryption Workshop (DEW) to encrypt EVS disks.

Prerequisites

You have created a cluster and installed the CCE Container Storage (Everest) add-on in the cluster.
An available key has been created in DEW. For details, see Creating a Key.
To create a cluster using commands, ensure kubectl is used. For details, see Accessing a Cluster Using kubectl.

Automatically Creating an Encrypted EVS Volume

CCE allows you to dynamically create encrypted EVS volumes using the console or kubectl to protect data privacy and autonomy.

Log in to the CCE console and click the cluster name to access the cluster console.
Dynamically create a PVC and PV.
1. Choose Storage in the navigation pane and click the PVCs tab. Click Create PVC in the upper right corner. In the dialog box displayed, configure PVC parameters.
2. Select EVS for the StorageClass, enable encryption, and choose a key. Configure other parameters based on service requirements. For details, see Using an EVS Disk Through a Dynamic PV.
  Figure 1 Encrypted storage volume
3. Click Create.
Go to the PVCs tab and check whether the PVC of the encrypted EVS disk is created and whether the disk is encrypted.

Figure 2 Encrypted PVC
The method of using an encrypted PVC is the same as that of using a regular PVC.

Use kubectl to access the cluster.

Create the pvc-evs-auto.yaml file. For details, see Using kubectl.

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: pvc-evs-auto
  namespace: default
  annotations:
    everest.io/disk-volume-type: SAS    # EVS disk type
    everest.io/crypt-key-id: 37f202db-a970-4ac1-a506-e5c4f2d7ce69   # Encryption key ID, which can be obtained from DEW
  labels:
    failure-domain.beta.kubernetes.io/region: <your_region>   # Region of the node where the application is to be deployed
    failure-domain.beta.kubernetes.io/zone: <your_zone>       # AZ of the node where the application is to be deployed
spec:
  accessModes:
  - ReadWriteOnce               # The value must be ReadWriteOnce for EVS disks.
  resources:
    requests:
      storage: 10Gi             # EVS disk capacity, ranging from 1 to 32768
  storageClassName: csi-disk    # The StorageClass is EVS.

**Table 1** Encryption parameters
Parameter	Example Value	Description
everest.io/crypt-key-id	37f202db-a970-4ac1-a506-e5c4f2d7ce69	ID of an encryption key, which can be obtained from DEW.

Run the following command to create a PVC:
```
kubectl apply -f pvc-evs-auto.yaml
```
Go to the PVCs tab and check whether the PVC of the encrypted EVS disk is created and whether the disk is encrypted.