Cloud Disk Encryption

Last updated: 2020-10-27 14:12:58

    When you need to encrypt the data stored in a cloud disk due to business security or compliance reasons, you can enable cloud disk encryption and use the infrastructure provided by Key Management Service (KMS) of Tencent Cloud to effectively protect data privacy.

    This feature is currently in beta test. To use it, you need to submit a ticket to apply.

    Key Management

    Tencent Cloud encrypts data in your cloud disks using a data encryption key based on the standard AES-256 algorithm. When you use cloud disk encryption for the first time, the system automatically creates a customer master key (CMK) that allows you to use the cloud disk encryption feature in the corresponding region in the KMS. Only one CMK is automatically created and stored in the KMS, which is protected by strict physical and logical security controls.
    In each region, a unique 256-bit data key (DK) is used to encrypt the cloud disk. Snapshots created through encrypted cloud disks and encrypted cloud disks created through encrypted snapshots are all associated with this DK. The DK is protected by the key management infrastructure provided by KMS, which effectively blocks unauthorized access. The DK of a cloud disk is used only in the memory of the host where the instance resides, and is not stored in any persistent medium (including the cloud disk itself) in a plaintext form.

    Operating Principles

    When you configure your cloud disk as encrypted, the KMS encrypts the data and automatically decrypts it during the read operation. The encryption and decryption processes are performed on the host where the CVM instance resides, with minimal impact on the read and write performance of the cloud disk. To test the performance of cloud disks, refer to Measuring cloud disk performance.

    Once the encrypted cloud disk is created and mounted to the instance, the system encrypts the following data:

    • Static data in the cloud disk;
    • Data transmitted between the cloud disk and instance (data in the operating system of the instance is not encrypted);
    • All snapshots created through encrypted cloud disks;

    Use Limits

    The cloud disk encryption feature is subject to the following limitations:

    Limitation Description
    Cloud disk limitations
    • Cloud disk encryption supports all cloud disk types and instance types.
    • Only cloud disks can be encrypted, not local disks.
    • Only data disks can be encrypted, not system disks .
    • An existing non-encrypted disk cannot be directly converted to an encrypted disk.
    • An encrypted cloud disk cannot be converted to a non-encrypted cloud disk.
    • If an encrypted cloud disk is expanded, you need to unmount and remount it on your CVM instance for its new capacity to be recognized.
    • An encrypted disk cannot be mounted to an instance with local storage.
    Snapshots and images limitations
    • A snapshot generated by an existing non-encrypted disk cannot be directly converted to an encrypted snapshot.
    • An encrypted snapshot cannot be converted to a non-encrypted snapshot.
    • An image with an encrypted snapshot cannot be shared.
    • The encrypted snapshot and images created by it cannot be replicated across regions.
    Other Limitations
    • The cloud disk encryption feature relies on the KMS in the same region. If you have no other operation requests, you do not need to perform additional operations in the KMS console.
    • When you use the cloud disk encryption feature for the first time, you must activate KMS as instructed on the page. Otherwise, you cannot purchase the encrypted cloud disk.
    • You can query the CMK created specifically by the system for cloud disk encryption in KMS console, but you cannot specify, delete, or change the CMK.


    Cloud disk encryption, CMK, and reads/writes of cloud disk data do not incur additional charges. When you manage the encrypted cloud disk either in the console or through an API, however, KMS is used as an API and your management operation will be counted as a KMS call in this region. You will be billed based on the number of KMS calls. For details, see KMS Billing Overview.

    Management operations on an encrypted cloud disk include:

    • Create an encrypted cloud disk
    • Mount a cloud disk
    • Unmount a cloud disk
    • Create a snapshot
    • Roll back a snapshot

      Make sure you have sufficient account balance, otherwise the operation will fail.

    Creating an encrypted cloud disk

    You can create an encrypted cloud disk through the following three methods:

    Creating an encrypted cloud disk in the console

    1. Log in to CBS Console, select a region, and click Create.
    2. In the Purchase Data Disk dialog box, select Enable disk encryption.

      If you are using cloud disk encryption in this region for the first time, first authorize the key management service.

    3. Select the cloud disk configuration based on your actual needs and click Submit.
    4. Once you have purchased the cloud disk, you can view encrypted cloud disks that have already been created on the Cloud Disk List page.
      The new encrypted cloud disk is in to be mounted status, you can refer to Mounting cloud disks to mount the cloud disk to a CVM instance in the same availability zone.

    Creating an encrypted cloud disk from a snapshot

    Refer to Creating cloud disks using snapshots. By selecting an encrypted snapshot to create a cloud disk, you can create a cloud disk that contains relevant data and is encrypted.

    Creating an encrypted cloud disk through an API

    You can create an encrypted cloud disk using the CreateDisks API by the following two methods:

    • Configure Encrypt as true.
    • Specify a SnapshotId for the encrypted snapshot.

    Changing data encryption status

    To change the status of existing data in the cloud disk from non-encrypted to encrypted, we recommend you run the rsync command in Linux system or the robocopy command in Windows system to copy the data from the non-encrypted disk to the new encrypted disk.
    If you need to change the status of existing data in the cloud disk from encrypted to non-encrypted, we recommend you run the same commands to copy the data from the encrypted disk to the new non-encrypted disk.