tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Cloud Block Storage
    Documentation
    Download PDF

    Cloud Disk Encryption

    Last updated: 2022-05-16 12:03:52
    Download PDF

      To encrypt the data stored in a cloud disk, you can enable the cloud disk encryption feature, provided by Tencent Cloud Key Management Service (KMS).

      Note:

      This feature is in beta test. To use it, you need to submit a ticket.

      Key Management

      Tencent Cloud encrypts data in your cloud disks using a data encryption key based on the standard AES-256 algorithm. When you use cloud disk encryption for the first time, the system automatically creates a customer master key (CMK) that allows you to use the cloud disk encryption feature in the corresponding region in the KMS. Only one CMK is automatically created and stored in the KMS, which is protected by strict physical and logical security controls.
      In each region, a unique 256-bit data key (DK) is used to encrypt the cloud disk. Snapshots created through encrypted cloud disks and encrypted cloud disks created through encrypted snapshots are all associated with this DK. The DK is protected by the key management infrastructure provided by KMS, which effectively blocks unauthorized access. The DK of a cloud disk is used only in the memory of the host where the instance resides, and is not stored in any persistent medium (including the cloud disk itself) in a plaintext form.

      How it Works

      When you configure your cloud disk as encrypted, the KMS encrypts the data and automatically decrypts it during the read operation. The encryption and decryption processes are performed on the host where the CVM instance resides, with minimal impact on the read and write performance of the cloud disk. To test the performance of cloud disks, refer to Measuring Cloud Disk Performance.

      Once the encrypted cloud disk is created and attached to the instance, the system encrypts the following data:

      • Static data in the cloud disk;
      • Data transmitted between the cloud disk and instance (data in the operating system of the instance is not encrypted);
      • All snapshots created through encrypted cloud disks;

      Limits

      The cloud disk encryption feature is subject to the following limitations:

      Limitation Description
      Cloud disk limitations
      • All types of cloud disks can be encrypted, regardless of type of associated instance.
      • Only cloud disks can be encrypted, not local disks.
      • Only data disks can be encrypted, not system disks .
      • An existing non-encrypted disk cannot be directly converted to an encrypted disk.
      • An encrypted cloud disk cannot be converted to a non-encrypted cloud disk.
      • To recognize the new capacity of an expanded encrypted cloud disk, you need to uninstall it and reattached it to the CVM.
      • An encrypted cloud disk cannot be attached to an instance with local storage.
      Snapshots and images limitations
      • A snapshot generated by an existing non-encrypted disk cannot be directly converted to an encrypted snapshot.
      • An encrypted snapshot cannot be converted to a non-encrypted snapshot.
      • An image with an encrypted snapshot cannot be shared.
      • The encrypted snapshot and images created by it cannot be replicated across regions.
      Other Limitations
      • The cloud disk encryption feature relies on the KMS in the same region. If you have no other operation requests, you do not need to perform additional operations in the KMS console.
      • When you use the cloud disk encryption feature for the first time, you must activate KMS as instructed on the page. Otherwise, you cannot purchase the encrypted cloud disk.
      • You can query the CMK created specifically by the system for cloud disk encryption in KMS console, but you cannot specify, delete, or change the CMK.

      Billing

      Cloud disk encryption, CMK, and reads/writes of cloud disk data do not incur additional charges. When you manage the encrypted cloud disk either in the console or through an API, however, KMS is used as an API and your management operation will be counted as a KMS call in this region. You will be billed based on the number of KMS calls. For details, see Billing Overview.

      Management operations on an encrypted cloud disk include:

      • Create an encrypted cloud disk
      • Attach a cloud disk
      • Detach a cloud disk
      • Create a snapshot
      • Rolling back a snapshot
        Note:

        Make sure you have sufficient account balance, otherwise the operation will fail.

      Creating an encrypted cloud disk

      You can create an encrypted cloud disk through the following three methods:

      Creating in the console

      1. Log in to the CBS Console, select a region, and click Create.
      2. In the Purchase Data Disk dialog box, select Enable disk encryption.
        Note:

        If you are using cloud disk encryption in this region for the first time, you need to get the authorization for KMS first.

      3. Select the cloud disk configuration based on your actual needs and click Submit.
      4. Once you have purchased the cloud disk, you can view encrypted cloud disks that have already been created on the Cloud Disk List page.
        The new encrypted cloud disk is in to be attached status, you can refer to Attaching cloud disks to attach the cloud disk to a CVM instance in the same availability zone.

      Creating from a snapshot

      You can select an encrypted snapshot to create a cloud disk. The cloud disk created in this way is encrypted automatically. For more information, see Creating Cloud Disks Using Snapshots.

      Creating Using an API

      You can create an encrypted cloud disk by using the CreateDisks API. The following two methods are supported.

      • Configure Encrypt as true.
      • Specify a SnapshotId for the encrypted snapshot.

      Changing Data Encryption Status

      To change the status of existing data in the cloud disk from non-encrypted to encrypted, we recommend you run the rsync command in Linux system or the robocopy command in Windows system to copy the data from the non-encrypted disk to the new encrypted disk.
      If you need to change the status of existing data in the cloud disk from encrypted to non-encrypted, we recommend you run the same commands to copy the data from the encrypted disk to the new non-encrypted disk.

      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      tencent
      Copyright © 2013-2022 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy