EVS Encryption Overview

What Is EVS Encryption?

EVS enables you to encrypt data on newly created EVS disks as required.

EVS encryption uses the industry-standard XTS-AES-256 algorithm and Key Management Service (KMS) keys provided by Data Encryption Workshop (DEW) for encryption. With EVS encryption, you do not need to establish and maintain your own key management infrastructure. KMS uses the Hardware Security Module (HSM) that complies with FIPS 140-2 level 3 requirements to protect keys. All user keys are protected by the root key in HSM to prevent key exposure.

How EVS Encryption Works

The encryption system uses a two-layer key structure. The first-layer key is the customer master key (CMK), and the second-layer key is the data key (DK). The CMK encrypts and decrypts the DK to ensure their security in transit and at rest. The DK encrypts and decrypts service data. The details are as follows:

Encrypt the DK

Before being used to encrypt service data, a DK is first encrypted by a CMK. Only encrypted DKs can be stored or transferred. If an attacker gains access to an encrypted DK and service data, it cannot decrypt data due to the lack of the CMK.

Encrypt data in transit and at rest

To read encrypted data, a decryption request is first sent to KMS to obtain the plaintext DK. KMS verifies the request validity and then uses the CMK to decrypt the DK and returns the plaintext DK. The decryption is done in the memory, so the plaintext DK will not be persistently stored on any storage medium. The system then uses the plaintext DK in the memory to decrypt disk I/O data to ensure the security of data in transit and at rest.

Keys Used for EVS Encryption

Keys provided by KMS include a Default Key and Custom Keys.

Default Key: A key that is automatically created by EVS through KMS and named evs/default.
It cannot be disabled and does not support scheduled deletion.
Custom keys: Keys created by users. You can use existing keys or create new keys. For details, see "Key Management Service" > "Creating a CMK" in the Data Encryption Workshop User Guide.
Shared keys: You can use DEW to create grants to share keys with other accounts. For details, see Creating a Grant.

When an encrypted disk is attached, EVS accesses KMS, and KMS sends the DK to the host memory for use. EVS uses the plaintext DK to encrypt and decrypt disk I/Os. The plaintext DK is only stored in the memory of the host housing the ECS and is not stored persistently on the media. If a custom key is disabled or scheduled for deletion in KMS, the disk encrypted using this custom key can still use the plaintext DK stored in the host memory. If this disk is later detached, the plaintext DK will be deleted from the memory, and data can no longer be read from or written to the disk. Before you re-attach this encrypted disk, ensure that the custom key is available.

If you use a custom key to encrypt disks and this custom key is then disabled or scheduled for deletion, data cannot be read from or written to these disks or may never be restored. See Table 1 for more information.

**Table 1** Impact of custom key unavailability
Custom Key Status	Impact	How to Restore
Disabled	For an encrypted disk already attached: Reads and writes to the disk are normal. If the disk is detached, it cannot be attached again. For an unattached encrypted disk: The disk cannot be attached anymore.	Enable the custom key. For details, see Creating a Custom Key.
Scheduled deletion		Cancel the scheduled deletion for the custom key. For details, see Creating a Custom Key.
Deleted		Data on the disks can never be restored.

You will be billed for the custom keys you use. If pay-per-use keys are used, ensure that you have sufficient account balance. If yearly/monthly keys are used, renew your order timely. Or, your services may be interrupted and data may never be restored if encrypted disks become inaccessible.

Relationships Between EVS Encryption, Snapshots, Backups, and Images

You can use EVS encryption to encrypt system disks, data disks, snapshots, backups, and images. Find the details below:

System disk encryption relies on the image that is used to create the server.
- If an encrypted image is used to create the server, the system disk will be encrypted by default, and the system disk and image share the same encryption method. For details, see Encrypting Images.
- If a non-encrypted image is used to create the server, you can determine whether to encrypt the system disk or not during the server creation. For details, see "Getting Started" > "Creating an ECS" > "Step 1: Configure Basic Settings" in the Elastic Cloud Server User Guide.
- If a non-encrypted image is used and you want an encrypted system disk, first replicate the non-encrypted image to be an encrypted one, create the server, and then create the encrypted system disk. For details, see Replicating Images Within a Region.
If an empty disk is created, you can determine whether to encrypt the disk or not. The encryption attribute of the disk cannot be changed after the disk has been created.
If a disk is created from a snapshot, the encryption attribute of the disk will be the same as that of the snapshot's source disk.
If a disk is created from a backup, the encryption attribute of the disk does not need to be the same as that of the backup.
If a disk is created from an image, the encryption attribute of the disk will be the same as that of the image's source disk.
If a backup is created for a disk, the encryption attribute of the backup will be the same as that of the disk.
If a snapshot is created for a disk, the encryption attribute of the snapshot is the same as that of the disk.

Relationships Between EVS Encryption and Backups

You can use EVS encryption to encrypt system disks, data disks, and backups. Find the details below:

System disk encryption relies on the image that is used to create the server.
- If an encrypted image is used to create the server, the system disk will be encrypted by default, and the system disk and image share the same encryption method. For details, see "Managing Private Images" > "Encrypting Images" in the Image Management Service User Guide.
- If a non-encrypted image is used to create the server, you can determine whether to encrypt the system disk or not during the server creation. For details, see "Getting Started" > "Creating an ECS" > "Step 1: Configure Basic Settings" in the Elastic Cloud Server User Guide.
If an empty disk is created, you can determine whether to encrypt the disk or not. The encryption attribute of the disk cannot be changed after the disk has been created.
If a disk is created from a backup, the encryption attribute of the disk does not need to be the same as that of the backup.
If a backup is created for a disk, the encryption attribute of the backup will be the same as that of the disk.

Parent Topic: Managing Encrypted EVS Disks

Previous topic: Managing Encrypted EVS Disks

Next topic: Creating an Encrypted EVS Disk

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot