Help Center> Data Encryption Workshop> Best Practices> Key Management> Using KMS to Encrypt and Decrypt Data for Cloud Services> Encrypting Data in EVS
Updated on 2022-03-18 GMT+08:00
View PDF

Encrypting Data in EVS

Overview

In case your services require encryption for the data stored on disks in Elastic Volume Service (EVS), EVS provides you with the encryption function. You can encrypt newly created EVS disks. Keys used by encrypted EVS disks are provided by KMS of DEW, secure and convenient. Therefore, you do not need to establish and maintain the key management infrastructure.

Disk encryption is used for data disks only. System disk encryption relies on the image. For details, see Encrypting Data in IMS.

Who Can Use the Disk Encryption Function?

  • Security administrators (users having Security Administrator rights) can grant the KMS access rights to EVS for using disk encryption.
  • When a common user who does not have the Security Administrator rights needs to use the disk encryption feature, the condition varies depending on whether the user is the first one ever in the current region or project to use this feature.
    • If the user is the first, the user must contact a user having the Security Administrator rights to grant the KMS access rights to EVS. Then, the user can use the disk encryption feature.
    • If the user is not the first, the user can use the disk encryption function directly.

From the perspective of a tenant, as long as the KMS access rights have been granted to EVS in a region, all users in the same region can directly use the disk encryption feature.

If there are multiple projects in the current region, the KMS access rights need to be granted to each project in this region.

Keys Used for EVS Disk Encryption

The keys provided by KMS for disk encryption include a Default Master Key and Customer Master Keys (CMKs).

  • Default Master Key: A key that is automatically created by EVS through KMS and named evs/default.

    The Default Master Key cannot be disabled and does not support scheduled deletion.

  • CMKs: Keys created by users. You can use existing CMKs or create one. For details, see Creating a CMK.
If disks are encrypted using a CMK, which is then disabled or scheduled for deletion, the disks can no longer be read from or written to, and data on these disks may never be restored. See Table 1 for more information.
Table 1 Impact on encrypted disks after a CMK becomes unavailable

CMK Status

Impact on Encrypted Disks

Restoration Method

Disabled
  • If an encrypted disk is then attached to an ECS, the disk can still be used, but normal read/write operations are not guaranteed permanently.
  • If an encrypted disk is then detached, re-attaching the disk will fail.

Enable the CMK. For details, see Enabling One or More CMKs.

Pending deletion

Cancel the scheduled deletion for the CMK. For details, see Canceling the Scheduled Deletion of One or More CMKs.

Deleted

Data on the disks can never be restored.

You will be charged for the CMKs you use. If basic keys are used, ensure that your account balance is sufficient. If professional keys are used, renew your order timely. Otherwise, your services may be interrupted and your data may never be restored as the encrypted disks become unreadable and unwritable.

Using KMS to Encrypt a Disk (on the Console)

  1. On the EVS management console, click Buy Disk.
  2. Select the Encryption check box.

    1. Click More. The Encryption check box is displayed.
      Figure 1 More
    2. Create an agency.

      Select Encrypt. If EVS is not authorized to access KMS, the Create Agency dialog box is displayed. In this case, click Yes to authorize it. After the authorization, EVS can obtain KMS keys to encrypt and decrypt disks.

      Before you use the disk encryption function, KMS access rights need to be granted to EVS. If you have the right for granting, grant the KMS access rights to EVS directly. If you do not have the right, contact a user with the Security Administrator rights to grant the KMS access rights to EVS, then repeat the preceding operations.

    3. Set encryption parameters.
      Select Encrypt. If the authorization succeeded, the Encrypt Setting dialog box is displayed.
      Figure 2 Encryption settings

      Select either of the following types of keys from the KMS Key Name drop-down list:

      • Default Master Key. After the KMS access rights have been granted to EVS, the system automatically creates a Default Master Key named evs/default.
      • An existing or new CMK. For details about how to create one, see Creating a CMK.

  3. Configure other parameters for the disk. For details about the parameters, see Purchase an EVS Disk.

Using KMS to Encrypt a Disk (Through an API)

You can call the required API of EVS to purchase an encrypted EVS disk. For details, see Elastic Volume Service API Reference.