Encrypting Data in IMS

You can create an encrypted image in Image Management Service (IMS) to securely store data.

DEW must be enabled.
An encrypted image cannot be shared with other users.
An encrypted image cannot be published in the Marketplace.
If an ECS has an encrypted system disk, the private image created using the ECS is also encrypted.
The key used for encrypting an image cannot be changed.
If the key used for encrypting an image is disabled or deleted, the image is unavailable.
The system disk of an ECS created using an encrypted image is also encrypted, and its key is the same as the image key.

You can create an encrypted image using an encrypted ECS or an external image file.

Create an encrypted image using an encrypted ECS.
When you use an ECS to create a private image, if the system disk of the ECS is encrypted, the private image created using the ECS is also encrypted. The key used for encrypting the image is the one used for creating the system disk.
Create an encrypted image using an external image file.
When you use an external image file that has been uploaded to an OBS bucket to create a private image, you can select KMS encryption when registering the image to encrypt the image.
When uploading an image file, you can select KMS encryption and use a key provided by KMS to encrypt the uploaded file, as shown in Figure 1.
1. On the IMS management console, click Create Private Image.
2. Set Type to System disk image.
3. Set Source to Image File.
4. Select KMS encryption.
  Figure 1 Encrypting data in IMS
  Select either of the following types of keys from the Key Name drop-down list:
  - Default Master Key ims/default created by KMS
  - An existing or new CMK. For details about how to create one, see Creating a CMK.
1. Configure other parameters. For details about the parameters, see Registering an Image.