Creating an Encrypted EVS Disk
EVS enables you to encrypt data on newly created disks as required.
Disk Encryption Scenarios
- System disk encryption
System disks are purchased along with servers and cannot be purchased separately. So, whether a system disk is encrypted or not depends on the image you select when creating the server.
Table 1 Relationship between images and system disk encryption Whether to Encrypt System Disk When Purchasing Server
Whether to Create Server from an Encrypted Image
Whether System Disk Will Be Encrypted
Description
Yes (key A)
Yes (key B)
Yes (key A)
- To encrypt system disks during the server purchase, see Purchasing an ECS in Custom Config Mode.
- For details about how to encrypt images, see Encrypting Images.
Yes (key A)
No
Yes (key A)
To encrypt system disks during the server purchase, see Purchasing an ECS in Custom Config Mode.
No
Yes (key B)
Yes (key B)
For details about how to encrypt images, see Encrypting Images.
No
No
No
If you want to use a non-encrypted image to create an encrypted system disk, replicate the image as an encrypted image and then use it to create a server. For details, see Replicating Images Within a Region.
- Data disk encryption (default encryption disabled)
Data disks can be purchased along with servers or separately. Whether data disks are encrypted or not depends on their data sources. See the following table for details.
Table 2 Relationship between backups, snapshots, images, and data disk encryption Buy Disk On
Method of Purchase
Whether Data Disk Will Be Encrypted
Description
ECS console
Buying together with a server
Yes/No
When a data disk is purchased together with a server, you can choose to encrypt the disk or not. For details, see "Getting Started" > "Creating an ECS" > "Step 1: Configure Basic Settings" in the Elastic Cloud Server User Guide.
EVS console
No data source selected
Yes/No
When an empty disk is created, you can choose whether to encrypt the disk or not. The encryption attribute of the disk cannot be changed after the disk has been created.
Creating from a backup
Yes/No
- When a disk is created from a backup, you can choose whether to encrypt the disk or not. The encryption attributes of the disk and backup do not need to be the same.
- When you create a backup for a system or data disk, the encryption attribute of the backup will be the same as that of the disk.
Creating from a snapshot
(The snapshot's source disk is encrypted.)
Yes
A snapshot created from an encrypted disk is also encrypted.
Creating from a snapshot
(The snapshot's source disk is not encrypted.)
No
A snapshot created from a non-encrypted disk is not encrypted.
Creating from an image
(The image's source disk is encrypted.)
Yes
-
Creating from an image
(The image's source disk is not encrypted.)
No
-
- Data disk encryption (default encryption enabled)
Data disks can be purchased with servers or separately. Whether data disks are encrypted or not depends on their creation scenarios and data sources. For how to enable default encryption, see Configuring Default Encryption.
Table 3 Relationship between backups, snapshots, images, and data disk encryption Creation Scenario
Whether Data Source Is Encrypted
Whether Data Disk Will Be Encrypted
Description
Creating together with a server
Empty disk
Yes
You can use the key preset for default encryption or change the key as required.
No data source selected
Empty disk
Yes
You can use the key preset for default encryption or change the key as required.
Creating from a legacy snapshot
Non-encrypted
No
Encryption is not supported.
Encrypted
Yes
The key of the snapshot is inherited.
Creating from a standard snapshot (Instant Snapshot Restore is enabled, but data upload is not complete)
Non-encrypted
No
Encryption is not supported.
Encrypted
Yes
The key of the snapshot is inherited.
Creating from a standard snapshot (data upload is complete)
Non-encrypted
Yes
You can use the key preset for default encryption or change the key as required.
Encrypted
Yes
You can use the key preset for default encryption or change the key as required.
Creating from a private image
Non-encrypted
Yes
You can use the key preset for default encryption or change the key as required.
Encrypted
Yes
You can use the key preset for default encryption or change the key as required.
Creating from a public image
Non-encrypted
Yes
You can use the key preset for default encryption or change the key as required.
Encrypted
Yes
You can use the key preset for default encryption or change the key as required.
Creating from a disk backup (shared or non-shared)
Non-encrypted
Yes
You can use the key preset for default encryption or change the key as required.
Encrypted
Yes
You can use the key preset for default encryption or change the key as required.
Constraints
|
Item |
Description |
|---|---|
|
Disk types supporting encryption |
All disk types support encryption, but the encryption attribute of an existing disk cannot be changed. |
|
Disk encryption |
|
|
User permissions |
When a user uses encryption, the condition varies depending on whether the user is the first one ever in the current region or project to use this function.
|
|
Image encryption |
|
Billing
If KMS encryption is used, what you use beyond the free quota given by KMS will be billed. For details, see DEW Billing.
Creating an Encrypted EVS Disk
Before you use the encryption function, KMS access permissions need to be granted to EVS. If you have the Security Administrator permissions, grant the KMS access rights to EVS directly. If you do not have this permission, contact a user with the security administrator permissions to grant KMS access rights to EVS and then select the encryption option to create an encrypted disk.
For details about how to create an encrypted disk, see Purchasing an EVS Disk.
You can use encrypted system disks immediately after they are created. You need to attach and initialize encrypted data disks after they are created.
|
Step |
Description |
|---|---|
|
Step 1: Attach the disk. |
If you choose not to attach the disk when purchasing the disk, you need to manually attach it later. |
|
Step 2: Initialize the disk. |
The procedure for initializing a newly created empty data disk differs from that for a data disk with data on it. For details, see Initialization Overview. |
Detaching an Encrypted EVS Disk
Before you detach a disk encrypted by a custom key, check whether the custom key is disabled or scheduled for deletion.
- If the custom key is available, the disk can be detached and re-attached, and data on the disk will not be lost.
- If the custom key is unavailable, the disk can still be used, but there is no guarantee for how long it will be usable. If the disk is detached, it will be impossible to re-attach it later. In this case, do not detach the disk without a working custom key.
The restoration method varies depending on the CMK status. For details, see Keys Used for EVS Encryption.
For details about how to detach an encrypted disk, see Detaching an EVS Disk.
Related Links
- To learn more about KMS keys, see KMS Overview.
- To learn more about encryption principles, see EVS Encryption Overview.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
