Managing Encrypted Disks

Relationships Between Encrypted Disks and Backups

The encryption function can be used to encrypt system disks, data disks, and backups. The details are as follows:

• System disk encryption depends on the image of the server OS. If the server is created from an encrypted image, the system disk will be an encrypted disk. For details, see Encrypting an Image in the Image Management Service User Guide.
• The encryption attribute of an existing disk cannot be changed. You can create new disks and determine whether to encrypt the disks or not.
• When a disk is created from a backup, the encryption attribute of the new disk will be consistent with that of the backup's source disk.
• When a backup is created for a disk, the encryption attribute of the backup is the same as that of the disk.

For how to create encrypted disks, see Create a Disk.

Creating Encrypted Disks

Before you use the disk encryption function, KMS access rights need to be granted to EVS. If you have the Security Administrator permission, grant KMS access rights directly. If you do not have this permission, contact a user with the security administrator permissions to grant KMS access rights to EVS, then repeat the preceding operations.

For how to create encrypted disks, see Create a Disk.

Detaching Encrypted Disks

Before you detach a disk encrypted by a custom key, check whether the custom key is disabled or scheduled for deletion. If the custom key is unavailable, the disk can still be used, but normal read/write operations are not guaranteed permanently. If the disk is detached and then re-attached, re-attaching this disk will fail. In this case, do not detach the disk and restore the custom key status first.

The restoration method varies depending on the current CMK status. For details, see Disk Encryption.

If the custom key is available, the disk can be detached and re-attached, and data on the disk will not be lost.

For how to detach an encrypted disk, see Detaching a Data Disk.