Updated on 2026-06-16 GMT+08:00

Encrypting EVS Disks

Encrypting cloud disks ensures data privacy and control, making it ideal for scenarios that demand high security or compliance standards. This section describes how to use the keys managed by the Data Encryption Workshop (DEW) service to encrypt data on cloud disks. DEW builds cryptographic service resource pools based on Cloud-hosted Hardware Security Modules (Cloud HSMs) certified by the State Cryptography Administration (SCA) to centrally manage, control, and schedule cryptographic resources on the cloud. It provides users with Virtual Security Modules (VSMs) on demand and interconnects with service applications to implement security functions such as data encryption and decryption, signature verification, key creation, and secure key storage.

Prerequisites

Automatically Creating an Encrypted EVS Volume

CCE allows you to dynamically create encrypted EVS volumes using the console or kubectl to protect data privacy and autonomy.

  1. Log in to the CCE console and click the cluster name to access the cluster console.
  2. Dynamically create a PVC and PV.

    1. Choose Storage in the navigation pane. In the right pane, click the PVCs tab. Click Create PVC in the upper right corner. On the slide-out panel, configure PVC parameters.
    2. Select EVS for the StorageClass, enable encryption, and choose a key. Configure other parameters based on service requirements. For details, see Using an EVS Disk Through a Dynamic PV.
      Figure 1 Encrypted storage volume
    3. Click Create.

  3. Go to the PVCs tab and check whether the PVC of the encrypted EVS volume is created and the volume is encrypted.

    Figure 2 Encrypted PVC

    The method of using an encrypted PVC is the same as that of using a regular PVC.

  1. Use kubectl to access the cluster.
  2. Create the pvc-evs-auto.yaml file. For details, see Using kubectl.

    apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      name: pvc-evs-auto
      namespace: default
      annotations:
        everest.io/disk-volume-type: SAS    # EVS disk type
        everest.io/crypt-key-id: 37f202db-a970-4ac1-a506-e5c4f2d7ce69   # Encryption key ID, which can be obtained from DEW
      labels:
        failure-domain.beta.kubernetes.io/region: <your_region>   # Region of the node where the application is to be deployed
        failure-domain.beta.kubernetes.io/zone: <your_zone>       # AZ of the node where the application is to be deployed
    spec:
      accessModes:
      - ReadWriteOnce               # The value must be ReadWriteOnce for EVS disks.
      resources:
        requests:
          storage: 10Gi             # EVS disk capacity, ranging from 1 to 32768
      storageClassName: csi-disk    # The StorageClass is EVS.
    Table 1 Encryption parameters

    Parameter

    Example Value

    Description

    everest.io/crypt-key-id

    37f202db-a970-4ac1-a506-e5c4f2d7ce69

    ID of an encryption key, which can be obtained from DEW.

  3. Run the following command to create a PVC:

    kubectl apply -f pvc-evs-auto.yaml

  4. Go to the PVCs tab and check whether the PVC of the encrypted EVS volume is created and the volume is encrypted.