Encrypting Data in IMS
You can use KMS encryption to create private images in Image Management Service (IMS) to securely store data.
Scenario
The IMS server (image) is a template used to create servers or disks, including public images, private images, shared images, and KooGallery images. When you create a private image in IMS, you can use KMS encryption to ensure data security.
You can create an encrypted image in either of the following ways:
- Method 1: Create an encrypted image using an external image file.
When you register an image file as a private image, select KMS encryption and select a key.
- Method 2: Create an encrypted image using an encrypted ECS.
When you use an ECS to create a private image, if the system disk of the ECS is encrypted, the private image created using the ECS is also encrypted. The key used for encrypting the image must be the same as that used for encrypting the system disk.
This section describes how to use default KMS keys to encrypt IMS image files.
Solution Architecture
Figure 1 describes how to use KMS to encrypt an IMS image file.
Resource and Cost Planning
Resource |
Description |
Monthly Fee |
---|---|---|
OBS buckets |
|
For details about billing rules, see Billing Items. |
IMS |
|
Free. For details about billing rules, see Billing. |
KMS |
|
For details about billing rules, see Billing Items. |
Restrictions
- An encrypted image cannot be shared with other users.
- An encrypted image cannot be published in the Marketplace.
- The key used for encrypting an image cannot be changed.
- If the key used for encrypting an image is disabled or deleted, the image is unavailable.
- The system disk of an ECS created using an encrypted image is also encrypted, and its key is the same as the image key.
Method 1: Creating an Encrypted Image Using an External Image File
- Prepare an external image file.
- For Windows, prepare an image by referring to Optimizing a Windows Private Image.
- For Linux, prepare an image by referring to Optimizing a Linux Private Image.
- Upload the external image file to the OBS bucket. For details, see Creating a Windows System Disk Image from an External Image File.
- Create a private image. Log in to the IMS console. Click the Private Images tab and click Create Image in the upper right corner.
- Type: Select Import Image.
- Image Type: Select System disk image.
- Select Image File: Select the bucket that stores the image file in Step 2.
- Encryption: Select KMS encryption. Select an existing key is selected by default. The default key name is ims/default.
- For details about other parameters, see Creating a Windows System Disk Image from an External Image File.
Figure 2 Encryption configuration - Create an ECS using an image.
For details, see Creating an ECS from an Image.
Note for setting the parameters:
- Region: Select the region where the private image is located.
- Specifications: Select a flavor based on the OS type in the image and the OS versions described in OSs Supported by Different Types of ECSs.
- Image: Select Private image and then choose the image created in Step 3 from the drop-down list.
- (Optional) Data Disk: Add a data disk, which is created using the image created with the system disk image. In this way, the system disk and data disk data of the VM on the original platform can be migrated to the current cloud platform.
Method 2: Creating an Encrypted Image Using an Encrypted ECS
When you use an ECS to create a private image, if the system disk of the ECS is encrypted, the private image created using the ECS is also encrypted. The key used for encrypting the image is the one used for creating the system disk.
- Encrypt the EVS system disk. For details, see Encrypting Data in EVS.
- When purchasing an ECS, set Disk Type to the encrypted system disk in Step 1.
- Create a private image. Log in to the IMS console. Click the Private Images tab and click Create Image in the upper right corner.
- Type: Select Create Image.
- Image Type: Select System disk image.
- Source: Select the ECS purchased in Step 2 from the ECS list.
- For details about other parameters, see Creating a Windows System Disk Image from an External Image File.
Figure 3 Creating a private image - Click Next.
Related Operations
Using KMS to encrypt a private image (API): You can call IMS APIs to create an encrypted image. For details, see Image Management Service API Reference.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot