When you need to encrypt the data stored in a cloud disk due to business security or compliance reasons, you can enable cloud disk encryption and use the infrastructure provided by Key Management Service (KMS) of Tencent Cloud to effectively protect data privacy.
This feature is currently in beta test. To use it, you need to submit a ticket to apply.
Tencent Cloud encrypts data in your cloud disks using a data encryption key based on the standard AES-256 algorithm. When you use cloud disk encryption for the first time, the system automatically creates a customer master key (CMK) that allows you to use the cloud disk encryption feature in the corresponding region in the KMS. Only one CMK is automatically created and stored in the KMS, which is protected by strict physical and logical security controls.
In each region, a unique 256-bit data key (DK) is used to encrypt the cloud disk. Snapshots created through encrypted cloud disks and encrypted cloud disks created through encrypted snapshots are all associated with this DK. The DK is protected by the key management infrastructure provided by KMS, which effectively blocks unauthorized access. The DK of a cloud disk is used only in the memory of the host where the instance resides, and is not stored in any persistent medium (including the cloud disk itself) in a plaintext form.
When you configure your cloud disk as encrypted, the KMS encrypts the data and automatically decrypts it during the read operation. The encryption and decryption processes are performed on the host where the CVM instance resides, with minimal impact on the read and write performance of the cloud disk. To test the performance of cloud disks, refer to Measuring cloud disk performance.
Once the encrypted cloud disk is created and mounted to the instance, the system encrypts the following data:
The cloud disk encryption feature is subject to the following limitations:
|Cloud disk limitations||
|Snapshots and images limitations||
Cloud disk encryption, CMK, and reads/writes of cloud disk data do not incur additional charges. When you manage the encrypted cloud disk either in the console or through an API, however, KMS is used as an API and your management operation will be counted as a KMS call in this region. You will be billed based on the number of KMS calls. For details, see KMS Billing Overview.
Management operations on an encrypted cloud disk include:
Make sure you have sufficient account balance, otherwise the operation will fail.
You can create an encrypted cloud disk through the following three methods:
If you are using cloud disk encryption in this region for the first time, first authorize the key management service.
Refer to Creating cloud disks using snapshots. By selecting an encrypted snapshot to create a cloud disk, you can create a cloud disk that contains relevant data and is encrypted.
You can create an encrypted cloud disk using the CreateDisks API by the following two methods:
SnapshotIdfor the encrypted snapshot.
To change the status of existing data in the cloud disk from non-encrypted to encrypted, we recommend you run the
rsync command in Linux system or the
robocopy command in Windows system to copy the data from the non-encrypted disk to the new encrypted disk.
If you need to change the status of existing data in the cloud disk from encrypted to non-encrypted, we recommend you run the same commands to copy the data from the encrypted disk to the new non-encrypted disk.