Help Center/ Elastic Volume Service/ User Guide/ Managing Encrypted EVS Disks

Updated on 2025-07-30 GMT+08:00

View PDF

Managing Encrypted EVS Disks

What Is EVS Disk Encryption?

EVS enables you to encrypt data on newly created disks as required. For details, see Purchasing an EVS Disk.

It uses the industry-standard XTS-AES-256 cryptographic algorithm and keys to encrypt EVS disks. The keys are provided by the Key Management Service (KMS) of Data Encryption Workshop (DEW), which is secure and convenient. You do not need to establish and maintain the key management infrastructure. KMS uses the Hardware Security Module (HSM) that complies with FIPS 140-2 level 3 requirements to protect keys. All user keys are protected by the root key in HSM to prevent key exposure.

Encryption Principles

The encryption system uses a two-layer key structure. The first-layer key is the customer master key (CMK), and the second-layer key is the data key (DK). The CMK encrypts and decrypts the DK to ensure their security in transit and at rest. The DK encrypts and decrypts service data. The details are as follows:

Encrypt the DK

Before being used to encrypt service data, a DK is first encrypted by a CMK. Only encrypted DKs can be stored or transferred. If an attacker gains access to an encrypted DK and service data, it cannot decrypt data due to the lack of the CMK.

Encrypt data in transit and at rest

To read encrypted data, a decryption request is first sent to KMS to obtain the DK in plaintext. KMS verifies the request validity and then uses the CMK to decrypt the DK and returns the DK in plaintext. The decryption is done in the memory, so the plaintext DK will not be persistently stored on any storage medium. The system then uses the plaintext DK in the memory to decrypt disk I/O data to ensure the security of data in transit and at rest.

Keys Used for Disk Encryption

Keys provided by KMS include a Default Key and Custom Keys.

Default Key: A key that is automatically created by EVS through KMS and named evs/default.
It cannot be disabled and does not support scheduled deletion.
Custom keys: Keys created by users. You can use existing keys or create new ones to encrypt disks. For details, see "Key Management Service" > "Creating a CMK" in the Data Encryption Workshop User Guide.
Shared keys: You can use DEW to create grants to share keys with other accounts. For details, see Creating a Grant.

When an encrypted disk is attached, EVS accesses KMS, and KMS sends the DK to the host memory for use. EVS uses the plaintext DK to encrypt and decrypt disk I/Os. The plaintext DK is only stored in the memory of the host housing the ECS and is not stored persistently on the media. If a custom key is disabled or deleted in KMS, the disk encrypted using this custom key can still use the plaintext DK stored in the host memory. If this disk is later detached, the plaintext DK will be deleted from the memory, and data can no longer be read from or written to the disk. Before you re-attach this encrypted disk, ensure that the custom key is enabled.

If you use a custom key to encrypt disks and this custom key is then disabled or scheduled for deletion, data cannot be read from or written to these disks or may never be restored. See Table 1 for more information.

**Table 1** Impact of custom key unavailability
Custom Key Status	Impact	How to Restore
Disabled	For an encrypted disk already attached: Reads and writes to the disk are normal. If the disk is detached, it cannot be attached again. For an encrypted disk not attached: The disk cannot be attached anymore.	Enable the custom key. For details, see Enabling One or More Custom Keys.
Scheduled deletion		Cancel the scheduled deletion for the custom key. For details, see Canceling the Scheduled Deletion of One or More Custom Keys.
Deleted		Data on the disks can never be restored.

You will be billed for the custom keys you use. If pay-per-use keys are used, ensure that you have sufficient account balance. If yearly/monthly keys are used, renew your order timely. Or, your services may be interrupted and data may never be restored if encrypted disks become inaccessible.

Encryption Scenarios

System disk encryption

System disks are purchased along with servers and cannot be purchased separately. So whether a system disk is encrypted or not depends on the image you select when creating the server.

**Table 2** Relationship between images and system disk encryption
Whether to Create Server from an Encrypted Image	Whether System Disk Will Be Encrypted	Description
Yes	Yes	For details, see Encrypting Images.
No	No	If you want to use a non-encrypted image to create an encrypted system disk, replicate the image as an encrypted image and then use it to create a server. For details, see Replicating Images Within a Region.

Data disk encryption

Data disks can be purchased along with servers or separately. Whether data disks are encrypted or not depends on their data sources. See the following table for details.

**Table 3** Relationship between backups, snapshots, images, and data disk encryption
Buy Disk On	Method of Purchase	Whether Data Disk Will Be Encrypted	Description
ECS console	Buying together with a server	Yes/No	When a data disk is purchased together with a server, you can choose to encrypt the disk or not. For details, see "Getting Started" > "Creating an ECS" > "Step 1: Configure Basic Settings" in the Elastic Cloud Server User Guide.
EVS console	No data source selected	Yes/No	When an empty disk is created, you can choose whether to encrypt the disk or not. The encryption attribute of the disk cannot be changed after the disk has been created.
	Creating from a backup	Yes/No	When a disk is created from a backup, you can choose whether to encrypt the disk or not. The encryption attributes of the disk and backup do not need to be the same. When you create a backup for a system or data disk, the encryption attribute of the backup will be the same as that of the disk.
	Creating from a snapshot (The snapshot's source disk is encrypted.)	Yes	A snapshot created from an encrypted disk is also encrypted.
	Creating from a snapshot (The snapshot's source disk is not encrypted.)	No	A snapshot created from a non-encrypted disk is not encrypted.
	Creating from an image (The image's source disk is encrypted.)	Yes	-
	Creating from an image (The image's source disk is not encrypted.)	No	-

Constraints

**Table 4** Constraints on disk encryption
Item	Description
Disk types supporting encryption	All disk types support encryption, but the encryption attribute of an existing disk cannot be changed.
Disk encryption	The encryption attribute of a disk cannot be changed after the disk is created, meaning that: An encrypted disk cannot be changed to a non-encrypted disk. A non-encrypted disk cannot be changed to an encrypted disk.
User permissions	When a user uses encryption, the condition varies depending on whether the user is the first one ever in the current region or project to use this function. If the user is the first user, the user needs to follow the prompt to create an agency, which grants EVS KMSAccess permissions to EVS. Then, the user can create and obtain keys to encrypt and decrypt disks. If the user is not the first user, the user can use encryption directly.
Image encryption	Encrypted images cannot be replicated across regions. Encrypted images cannot be changed to non-encrypted images. Encrypted images cannot be exported.

Billing

If KMS encryption is used, what you use beyond the free quota given by KMS will be billed. For details, see DEW Billing.

Creating an Encrypted EVS Disk

Before you use the encryption function, KMS access rights need to be granted to EVS. If you have the Security Administrator permissions, grant the KMS access rights to EVS directly. If you do not have this permission, contact a user with the security administrator permissions to grant KMS access rights to EVS and then select the encryption option to create an encrypted disk.

For details about how to create an encrypted disk, see Purchasing an EVS Disk.

Detaching an Encrypted EVS Disk

Before you detach a disk encrypted by a custom key, check whether the custom key is disabled or scheduled for deletion.

If the custom key is available, the disk can be detached and re-attached, and data on the disk will not be lost.
If the custom key is unavailable, the disk can still be used, but there is no guarantee for how long it will be usable. If the disk is detached, it will be impossible to re-attach it later. In this case, do not detach the disk without a working custom key.

The restoration method varies depending on the CMK status. For details, see Keys Used for Disk Encryption.

For details about how to detach an encrypted disk, see Detaching an EVS Disk.

Previous topic: Disabling the Recycle Bin

Next topic: Managing Shared EVS Disks

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot