• Elastic Cloud Server

ecs
  1. Help Center
  2. Elastic Cloud Server
  3. User Guide
  4. Service Overview
  5. Network and Security
  6. User Encryption

User Encryption

User encryption allows you to use the encryption feature provided on the public cloud platform to encrypt ECS resources, improving data security. User encryption includes image encryption and EVS disk encryption.

Image Encryption

Key encryption supports encrypting private images. When creating an ECS, if you select an encrypted image, the system disk of the created ECS automatically has encryption enabled, implementing system disk encryption and improving data security.

Use either of the following methods to create an encrypted image:

  • Create an encrypted image using an existing encrypted ECS.
  • Create an encrypted image using an external image file.

For more information about image encryption, see Image Management Service User Guide.

EVS Disk Encryption

EVS disk encryption supports system disk encryption and data disk encryption.

  • When creating an ECS, you can encrypt added data disks.
  • System disk encryption relies on the image. When creating an ECS, if you select an encrypted image, the system disk of the created ECS automatically has encryption enabled, and the encryption mode complies with the image encryption mode.

For more information about EVS disk encryption, see Elastic Volume Service User Guide.

Impact on AS

If you use an encrypted ECS to create an Auto Scaling (AS) configuration, the encryption mode of the created AS configuration complies with the ECS encryption mode.

About Keys

The key used for encryption relies on the Key Management Service (KMS). KMS uses a data encryption key (DEK) to encrypt data and a customer master key (CMK) to encrypt the DEK.

Figure 1 Data encryption process

Table 1 describes the keys involved in the data encryption process.

Table 1 Keys

Name

Description

Function

DEK

An encryption key that is used for encrypting data.

Encrypts specific data.

CMK

An encryption key created using KMS for encrypting DEKs.

A CMK can encrypt multiple DEKs.

Supports CMK disabling and scheduled deletion.

Default CMK

A master key automatically generated by the system when you use KMS for encryption for the first time.

The name extension of a default CMK is /default, for example, evs/default.

  • Supports viewing details of the default CMK on the KMS console.
  • Does not support CMK disabling or scheduled deletion.
NOTE:

After disabling a CMK or scheduling the deletion of a CMK takes effect, the EVS disk encrypted using this CMK can still be used until the disk is detached from and then attached to an ECS again. During this process, the disk fails to be attached to the ECS because the CMK cannot be obtained. Therefore, the EVS disk becomes unavailable.

For details about KMS, see Key Management Service User Guide.