• Elastic Volume Service

evs
  1. Help Center
  2. Elastic Volume Service
  3. User Guide
  4. Overview
  5. EVS Disk Encryption

EVS Disk Encryption

What Is EVS Disk Encryption

In case your services require encryption for the data stored on EVS disks, EVS provides you with the encryption function. You can encrypt newly created EVS disks. Keys used by encrypted EVS disks are provided by the Key Management Service (KMS), which is secure and convenient. Therefore, you do not need to establish and maintain the key management infrastructure.

Keys Used for EVS Disk Encryption

The keys provided by KMS for disk encryption include a Default Master Key and Customer Master Keys (CMKs).

  • Default Master Key: A key that is automatically created by EVS through KMS and named evs/default.

    The Default Master Key cannot be disabled and does not support scheduled deletion.

  • CMKs: Keys created by users. You may use existing CMKs or create new CMKs to encrypt disks. For details, see Management > Creating a CMK in the Key Management Service User Guide.
If disks are encrypted using CMKs and a CMK is then disabled or scheduled for deletion, the disks encrypted by this CMK can no longer be read from or written to and data on these disks may never be restored. See Table 1 for more information.
Table 1 Impact on encrypted disks after a CMK becomes unavailable

CMK Status

Impact on Encrypted Disks

How to Restore

Disabled

  • If an encrypted disk is then attached to a server, the disk can still be used, but normal read/write operations are not guaranteed permanently.
  • If an encrypted disk is then detached, re-attaching the disk will fail.

Enable the CMK. For details, see Managing CMKs > Enabling One or Multiple CMKs in the Key Management Service User Guide.

Scheduled deletion

Cancel the scheduled deletion for the CMK. For details, see Managing CMKs > Canceling the Scheduled Deletion of One or Multiple CMKs in the Key Management Service User Guide.

Deleted

Data on the disks can never be restored.

Relationships Among Encrypted Disks, Snapshots, and Backups

The encryption function can be used for system disks, data disks, EVS snapshots, and EVS disk backups. The detailed descriptions are as follows:
  • The system disk encryption depends on the image of the server OS. If the server is created using an encrypted image, the system disk will be an encrypted disk. For details, see Encrypting an Image in the Image Management Service User Guide.
  • The encryption setting of an existing EVS disk cannot be changed. You can only determine whether to use the encryption function or not when you create a new disk.
  • If an EVS disk is created from a snapshot, the encryption setting of the EVS disk will be the same as that of the snapshot.
  • If an EVS disk is created from a backup, the encryption setting of the EVS disk will be the same as that of the backup.
  • If a snapshot or backup is created for an EVS disk, the encryption setting of the snapshot or backup will be the same as that of the EVS disk.

Who Can Use the Disk Encryption Function?

  • The security administrator (having the Security Administrator rights) can grant the KMS access rights to EVS for using the disk encryption function.
  • When a common user who does not have the Security Administrator rights needs to use the disk encryption function, the condition varies depending on whether the user is the first one ever in the current region or project to use this feature.
    • If the common user is the first one ever in the current region or project to use the feature, the user must contact a user having the Security Administrator rights to grant the KMS access rights to EVS. Then, the common user can use the disk encryption function.
    • If the common user is not the first one ever in the current region or project to use the feature, the common user can use the disk encryption function directly.

From the perspective of a tenant, as long as the KMS access rights have been granted to EVS in a region, all the users in the same region can directly use the disk encryption function.

If there are multiple projects in the current region, the KMS access rights need to be granted to each project in this region.

Application Scenarios of EVS Disk Encryption

Figure 1 shows the user relationships under regions and projects from the perspective of a tenant. The following example uses region B to describe the two application scenarios of the disk encryption function.

Figure 1 User relationships
  • If the security administrator uses the encryption function for the first time ever, the operation process is as follows:
    1. Grant the KMS access rights to EVS.

      After the KMS access rights have been granted, the system automatically creates a Default Master Key and names it evs/default. DMK can be used for disk encryption.

      NOTE:

      The EVS disk encryption relies on KMS. When the encryption function is used for the first time ever, the KMS access rights need to be granted to EVS. After the KMS access rights have been granted, all users in this region can use the encryption function, without requiring the KMS access rights to be granted again.

    2. Select a key.
      You can select one of the following keys:
      • DMK: evs/default
      • CMKs: Existing or newly created CMKs. For details, see Creating a CMK in the Key Management Service User Guide.

    After the security administrator has used the disk encryption function, all users in Region B can directly use the encryption function.

  • If User E (common user) uses the encryption function for the first time ever, the operation process is as follows:
    1. When user E uses the encryption function, and the system prompts a message indicating that the KMS access rights have not been granted to EVS.
    2. Contact the security administrator to grant the KMS access rights to EVS.

    After the KMS access rights have been granted to EVS, User E as well as all users in Region B can directly use the disk encryption function and do not need to contact the security administrator to grant the KMS access rights to EVS again.