EVS Encryption Overview
What Is EVS Encryption?
EVS enables you to encrypt data on newly created EVS disks as required.
EVS encryption uses the industry-standard XTS-AES-256 algorithm and Key Management Service (KMS) keys provided by Data Encryption Workshop (DEW) for encryption. With EVS encryption, you do not need to establish and maintain your own key management infrastructure. KMS uses the Hardware Security Module (HSM) that complies with FIPS 140-2 level 3 requirements to protect keys. All user keys are protected by the root key in HSM to prevent key exposure.
How EVS Encryption Works
The encryption system uses a two-layer key structure. The first-layer key is the customer master key (CMK), and the second-layer key is the data key (DK). The CMK encrypts and decrypts the DK to ensure their security in transit and at rest. The DK encrypts and decrypts service data. The details are as follows:
- Encrypt the DK
Before being used to encrypt service data, a DK is first encrypted by a CMK. Only encrypted DKs can be stored or transferred. If an attacker gains access to an encrypted DK and service data, it cannot decrypt data due to the lack of the CMK.
- Encrypt data in transit and at rest
To read encrypted data, a decryption request is first sent to KMS to obtain the plaintext DK. KMS verifies the request validity and then uses the CMK to decrypt the DK and returns the plaintext DK. The decryption is done in the memory, so the plaintext DK will not be persistently stored on any storage medium. The system then uses the plaintext DK in the memory to decrypt disk I/O data to ensure the security of data in transit and at rest.
Keys Used for EVS Encryption
- Default Key: A key that is automatically created by EVS through KMS and named evs/default.
It cannot be disabled and does not support scheduled deletion.
- Custom keys: Keys created by users. You can use existing keys or create new keys. For details, see "Key Management Service" > "Creating a CMK" in the Data Encryption Workshop User Guide.
- Shared keys: You can use DEW to create grants to share keys with other accounts. For details, see Creating a Grant.
When an encrypted disk is attached, EVS accesses KMS, and KMS sends the DK to the host memory for use. EVS uses the plaintext DK to encrypt and decrypt disk I/Os. The plaintext DK is only stored in the memory of the host housing the ECS and is not stored persistently on the media. If a custom key is disabled or scheduled for deletion in KMS, the disk encrypted using this custom key can still use the plaintext DK stored in the host memory. If this disk is later detached, the plaintext DK will be deleted from the memory, and data can no longer be read from or written to the disk. Before you re-attach this encrypted disk, ensure that the custom key is available.
| Custom Key Status | Impact | How to Restore |
|---|---|---|
| Disabled |
| Enable the custom key. For details, see Creating a Custom Key. |
| Scheduled deletion | Cancel the scheduled deletion for the custom key. For details, see Creating a Custom Key. | |
| Deleted | Data on the disks can never be restored. |
You will be billed for the custom keys you use. If pay-per-use keys are used, ensure that you have sufficient account balance. If yearly/monthly keys are used, renew your order timely. Or, your services may be interrupted and data may never be restored if encrypted disks become inaccessible.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot