Managing Encrypted EVS Disks
Encryption Scenarios
- System disk encryption
System disks are purchased along with servers and cannot be purchased separately. So whether a system disk is encrypted or not depends on the image selected during the server creation. See the following table for details.
Table 1 Encryption relationship between images and system disks Creating Server Using Encrypted Image
Whether System Disk Will Be Encrypted
Description
Yes
Yes
For details, see Creating Encrypted Images.
No
No
If you want to use a non-encrypted image to create an encrypted system disk, replicate the image as an encrypted image and then use it to create a server. For details, see Replicating Images Within a Region.
- Data disk encryption
Data disks can be purchased along with servers or separately. Whether data disks are encrypted depends on their data sources. See the following table for details.
Table 2 Encryption relationship between backups, snapshots, images, and data disks Purchased On
Method of Purchase
Whether Data Disk Will Be Encrypted
Description
The ECS console
Purchased together with the server
Yes/No
When a data disk is purchased together with a server, you can choose to encrypt the disk or not. For details, see Getting Started > Creating an ECS > Step 1: Configure Basic Settings in the Elastic Cloud Server User Guide.
The EVS console
No data source selected
Yes/No
When an empty disk is created, you can choose whether to encrypt the disk or not. The encryption attribute of the disk cannot be changed after the disk has been created.
Creating from a backup
Yes/No
- When a disk is created from a backup, you can choose whether to encrypt the disk or not. The encryption attributes of the disk and backup do not need to be the same.
- When you create a backup for a system or data disk, the encryption attribute of the backup will be the same as that of the disk.
Creating from a snapshot
(The snapshot's source disk is encrypted.)
Yes
A snapshot created from an encrypted disk is also encrypted.
Creating from a snapshot
(The snapshot's source disk is not encrypted.)
No
A snapshot created from a non-encrypted disk is not encrypted.
Creating from an image
(The image's source disk is encrypted.)
Yes
-
Creating from an image
(The image's source disk is not encrypted.)
No
-
Constraints
Item |
Description |
---|---|
Types of disks supporting encryption |
All disk types |
Constraints on encrypted disks |
The encryption attribute of a disk cannot be changed after the disk is created, meaning that:
|
Constraints on user permissions |
When a user uses the encryption function, the condition varies depending on whether the user is the first one ever in the current region or project to use this function.
|
Constraints on encrypted images |
|
Creating an Encrypted EVS Disk
Before you use the encryption function, KMS access rights need to be granted to EVS. If you have the Security Administrator permissions, grant the KMS access rights to EVS directly. If you do not have this permission, contact a user with the security administrator permissions to grant KMS access rights to EVS and then select the encryption option to create an encrypted disk.
Detaching an Encrypted EVS Disk
Before you detach a disk encrypted by a custom key, check whether the custom key is disabled or scheduled for deletion.
- If the custom key is available, the disk can be detached and re-attached, and data on the disk will not be lost.
- If the custom key is unavailable, the disk can still be used, but there is no guarantee for how long it will be usable. If the disk is detached, it will be impossible to re-attach it later. In this case, do not detach the disk without a working custom key.
The restoration method varies depending on the key status. For details, see EVS Encryption.
For details about how to detach an encrypted disk, see Detaching a Data Disk.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot