Updated on 2025-04-02 GMT+08:00

Encrypting Data in IMS

You can use KMS encryption to create private images in Image Management Service (IMS) to securely store data.

Scenario

The IMS server (image) is a template used to create servers or disks, including public images, private images, shared images, and KooGallery images. When you create a private image in IMS, you can use KMS encryption to ensure data security.

You can create an encrypted image in either of the following ways:

This section describes how to use default KMS keys to encrypt IMS image files.

Solution Architecture

Figure 1 describes how to use KMS to encrypt an IMS image file.

Figure 1 Encrypting IMS

Resource and Cost Planning

Table 1 Resources and costs

Resource

Description

Monthly Fee

OBS buckets

  • Billing mode: Yearly/Monthly
  • Resource package type: Standard storage (multi-AZ)
  • Specifications: 100 GB
  • Quantity: 1

For details about billing rules, see Billing Items.

IMS

  • Image type: System disk image
  • Billing Mode: Free

Free. For details about billing rules, see Billing.

KMS

  • Billing mode: Pay-per-use
  • Key type: Default key. In this case, ims/default is used.

For details about billing rules, see Billing Items.

Restrictions

  • An encrypted image cannot be shared with other users.
  • An encrypted image cannot be published in the Marketplace.
  • The key used for encrypting an image cannot be changed.
  • If the key used for encrypting an image is disabled or deleted, the image is unavailable.
  • The system disk of an ECS created using an encrypted image is also encrypted, and its key is the same as the image key.

Method 1: Creating an Encrypted Image Using an External Image File

  1. Prepare an external image file.

  2. Upload the external image file to the OBS bucket. For details, see Creating a Windows System Disk Image from an External Image File.
  3. Create a private image. Log in to the IMS console. Click the Private Images tab and click Create Image in the upper right corner.

    • Type: Select Import Image.
    • Image Type: Select System disk image.
    • Select Image File: Select the bucket that stores the image file in Step 2.
    • Encryption: Select KMS encryption. Select an existing key is selected by default. The default key name is ims/default.
    • For details about other parameters, see Creating a Windows System Disk Image from an External Image File.
    Figure 2 Encryption configuration

  4. Create an ECS using an image.

    For details, see Creating an ECS from an Image.

    Note for setting the parameters:

    • Region: Select the region where the private image is located.
    • Specifications: Select a flavor based on the OS type in the image and the OS versions described in OSs Supported by Different Types of ECSs.
    • Image: Select Private image and then choose the image created in Step 3 from the drop-down list.
    • (Optional) Data Disk: Add a data disk, which is created using the image created with the system disk image. In this way, the system disk and data disk data of the VM on the original platform can be migrated to the current cloud platform.

Method 2: Creating an Encrypted Image Using an Encrypted ECS

When you use an ECS to create a private image, if the system disk of the ECS is encrypted, the private image created using the ECS is also encrypted. The key used for encrypting the image is the one used for creating the system disk.

  1. Encrypt the EVS system disk. For details, see Encrypting Data in EVS.
  2. When purchasing an ECS, set Disk Type to the encrypted system disk in Step 1.
  3. Create a private image. Log in to the IMS console. Click the Private Images tab and click Create Image in the upper right corner.

    Figure 3 Creating a private image

  4. Click Next.

Related Operations

Using KMS to encrypt a private image (API): You can call IMS APIs to create an encrypted image. For details, see Image Management Service API Reference.