Help Center/ Dedicated Distributed Storage Service/ Service Overview/ Disk Encryption
Updated on 2023-12-07 GMT+08:00
View PDF
Share

Disk Encryption

What Is Disk Encryption?

In case your services require encryption for the data stored on disks, EVS provides you with the encryption function. You can encrypt new disks. Keys used by encrypted disks are provided by the Key Management Service (KMS) of Data Encryption Workshop (DEW), which is secure and convenient. Therefore, you do not need to establish and maintain the key management infrastructure.

Keys Used for Disk Encryption

Keys provided by KMS include a Default Key and Custom Keys.
  • Default Key: A key that is automatically created by EVS through KMS and named evs/default.

    It cannot be disabled and does not support scheduled deletion.

  • Custom keys: Keys created by users. You can use existing keys or create new ones to encrypt disks. For details, see Key Management Service > Creating a CMK in the Data Encryption Workshop User Guide.
If you use a custom key to encrypt disks and this custom key is then disabled or scheduled for deletion, data cannot be read from or written to these disks or may never be restored. See Table 1 for more information.
Table 1 Impact of custom key unavailability

Custom Key Status

Impact

How to Restore

Disabled
  • For an encrypted disk already attached:

    Reads and writes to the disk are normal unless the disk is detached. Once detached, the disk cannot be attached again.

  • For an encrypted disk not attached:

    The disk cannot be attached anymore.

Enable the custom key. For details, see Enabling One or More Custom Keys.

Scheduled deletion

Cancel the scheduled deletion for the custom key. For details, see Canceling the Scheduled Deletion of One or More Custom Keys.

Deleted

Data on the disks can never be restored.

You will be billed for the custom keys you use. If pay-per-use keys are used, ensure that you have sufficient account balance. If yearly/monthly keys are used, renew your order timely. Or, your services may be interrupted and data may never be restored as the encrypted disks become inaccessible.

Relationships Between Encrypted Disks and Backups

The encryption function can be used to encrypt system disks, data disks, and backups. The details are as follows:

  • System disk encryption relies on images. For details, see the Image Management Service User Guide.
  • The encryption attribute of an existing disk cannot be changed. You can create new disks and determine whether to encrypt the disks or not.
  • When a disk is created from a backup, the encryption attribute of the new disk will be consistent with that of the backup's source disk.

Before you use the encryption function, EVS must be granted with the permission to access DEW. If you have the right to grant permissions, grant KMS access rights to EVS directly. If you do not have the permission, contact a user with the security administrator rights to add the security administrator rights for you. Then, grant KMS access rights to EVS. For details, see Who Can Use the Encryption Feature?

For how to create encrypted disks, see Create a Disk.

Who Can Use the Encryption Function?

  • The security administrator (having Security Administrator permissions) can grant the KMS access rights to EVS for using the encryption function.
  • When a user who does not have the Security Administrator permissions needs to use the encryption function, the condition varies depending on whether the user is the first one ever in the current region to use this function.
    • If the user is the first one ever in the current region to use this function, the user must contact a user having the Security Administrator permissions to grant the KMS access rights to EVS. Then, the user can use encryption.
    • If the user is not the first one ever in the current region to use this function, the user can use encryption directly.

From the perspective of a tenant, as long as the KMS access rights have been granted to EVS in a region, all the users in the same region can directly use the encryption function.