El contenido no se encuentra disponible en el idioma seleccionado. Estamos trabajando continuamente para agregar más idiomas. Gracias por su apoyo.

Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

EVS Encryption

Updated on 2022-12-20 GMT+08:00

What Is EVS Encryption?

In case your services require encryption for the data stored on EVS disks, EVS provides you with the encryption function. You can encrypt newly created EVS disks. Keys used by encrypted EVS disks are provided by the Key Management Service (KMS), which is secure and convenient. Therefore, you do not need to establish and maintain the key management infrastructure.

Keys Used for EVS Encryption

The keys provided by KMS include a Default Master Key and Customer Master Keys (CMKs).
  • Default Master Key: A key that is automatically created by EVS through KMS and named evs/default.

    The Default Master Key cannot be disabled and does not support scheduled deletion.

  • CMKs: Keys created by users. You may use existing CMKs or create new CMKs to encrypt disks. For details, see Management > Creating a CMK in the Key Management Service User Guide.
If disks are encrypted using CMKs and a CMK is then disabled or scheduled for deletion, the disks encrypted by this CMK can no longer be read from or written to and data on these disks may never be restored. See Table 1 for more information.
Table 1 Impact of CMK unavailability

CMK Status

Impact

How to Restore

Disabled

  • For an encrypted disk already attached:

    The disk will become inaccessible after a period of time, or the disk data can never be restored. If the disk is detached later, it can never be attached again.

  • For an encrypted disk not attached:

    The disk cannot be attached anymore.

Enable the CMK. For details, see Managing CMKs > Enabling One or More CMKs in the Key Management Service User Guide.

Scheduled deletion

Cancel the scheduled deletion for the CMK. For details, see Managing CMKs > Canceling the Scheduled Deletion of One or More CMKs in the Key Management Service User Guide.

Deleted

Data on the disks can never be restored.

Relationships Between Encrypted Disks, Backups and Snapshots

The encryption function can be used to encrypt system disks, data disks, backups and snapshots. The details are as follows:
  • System disk encryption relies on the image that is used to create the server.
    • If an encrypted image is used to create the server, the system disk will be encrypted by default, and the system disk and image share the same encryption method. For details, see Managing Private Images > Encrypting Images in the Image Management Service User Guide.
    • If a non-encrypted image is used to create the server, you can determine whether to encrypt the system disk during the server creation. For details, see Getting Started > Creating an ECS > Step 1: Configure Basic Settings in the Elastic Cloud Server User Guide.
  • If an empty disk is created, you can determine whether to encrypt the disk or not. The encryption attribute of the disk cannot be changed after the disk has been created.
  • If a disk is created from a snapshot, the encryption attribute of the disk will be the same as that of the snapshot's source disk.
  • If a disk is created from a backup, the encryption attribute of the disk does not need to be the same as that of the backup.
  • If a snapshot is created for a disk, the encryption attribute of the snapshot is the same as that of the disk.

Who Can Use the Encryption Function?

  • The security administrator (having Security Administrator permissions) can grant the KMS access rights to EVS for using the encryption function.
  • When a user who does not have the Security Administrator permissions needs to use the encryption function, the condition varies depending on whether the user is the first one ever in the current region or project to use this function.
    • If the user is the first one ever in the current region or project to use this function, the user must contact a user having the Security Administrator permissions to grant the KMS access rights to EVS. Then, the user can use encryption.
    • If the user is not the first one ever in the current region or project to use this function, the user can use encryption directly.

From the perspective of a tenant, as long as the KMS access rights have been granted to EVS in a region, all the users in the same region can directly use the encryption function.

If there are multiple projects in the current region, the KMS access rights need to be granted to each project in this region.

Application Scenarios of EVS Encryption

Figure 1 shows the user relationships under regions and projects from the perspective of a tenant. The following example uses region B to describe the two scenarios of using the encryption function.

Figure 1 User relationships
  • If the security administrator uses the encryption function for the first time ever, the operation process is as follows:
    1. Grant the KMS access rights to EVS.

      After the KMS access rights have been granted, the system automatically creates a Default Master Key and names it evs/default. DMK can be used to encrypt EVS disks.

      NOTE:

      EVS encryption relies on KMS. When the encryption function is used for the first time ever, the KMS access rights need to be granted to EVS. After the KMS access rights have been granted, all users in this region can use the encryption function, without requiring the KMS access rights to be granted again.

    2. Select a key.
      You can select one of the following keys:
      • DMK: evs/default
      • CMKs: Existing or newly created CMKs. For details, see Creating a CMK in the Key Management Service User Guide.

    After the security administrator has used the encryption function, all users in Region B can directly use encryption.

  • If User E (common user) uses the encryption function for the first time ever, the operation process is as follows:
    1. When user E uses encryption, and the system prompts a message indicating that the KMS access rights have not been granted to EVS.
    2. Contact the security administrator to grant the KMS access rights to EVS.

    After the KMS access rights have been granted to EVS, User E as well as all users in Region B can directly use the encryption function and do not need to contact the security administrator to grant the KMS access rights to EVS again.

Utilizamos cookies para mejorar nuestro sitio y tu experiencia. Al continuar navegando en nuestro sitio, tú aceptas nuestra política de cookies. Descubre más

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback