Updated on 2025-09-28 GMT+08:00
Disk Encryption
Overview
You can use Elastic Volume Service (EVS) to encrypt disks created during desktop purchase or when data disks are added to existing desktops. The keys used for encrypting disks are provided by the Key Management Service (KMS) of Data Encryption Workshop (DEW). The following keys are supported. For details, see Managing Encrypted EVS Disks.
- Default key: The key that is automatically created by EVS through KMS and named evs/default. The default key cannot be disabled and does not support scheduled deletion.
- Custom key: Keys created by users. You can select an existing key or create one. For details, see "Key Management Service" > "Creating a Key" in Data Encryption Workshop (DEW) User Guide.
- Shared key: You can use DEW to create grants to share keys with other accounts. For details, see Creating a Grant.
- Key sharing through resources: Resource Access Manager (RAM) supports resource sharing to share your keys with other accounts. For details, see Sharing Your Resources.
For yearly/monthly cloud desktops, you cannot use RAM to share keys across projects under the same account.
Scenarios
- During desktop creation, if you select encryption, encryption will be enabled for the system disk and data disks by default.
- When adding a data disk to a desktop, if you select encryption, encryption will be enabled for the new data disk by default. You can determine whether to encrypt new data disks, but cannot change the encryption setting of existing data disks.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
The system is busy. Please try again later.
For any further questions, feel free to contact us through the chatbot.
Chatbot
