Create Encrypted EVS
The encrypted data disk is highly flexible, and the user can choose to purchase it together with the ECS or separately on the EVS management console, and encrypt it in the following ways:
· When purchasing an EVS with the ECS, the user can choose whether to encrypt the EVS in the advanced properties. When the encryption property is checked, the EVS can be successfully encrypted. The system disk can only be ordered with the ECS, so you can only choose encryption when ordering the cloud server.
· When purchasing an empty data disk separately on the EVS management console without selecting its data source, you can also select it as an encrypted data disk in the advanced property settings. After the purchase is successful, the user cannot change its encryption properties.
· When purchasing the data disk, select data source on the EVS management console. The data sources that user can choose include backups and snapshots. The encryption properties of this EVS are consistent with those of the source EVS for backups and snapshots. That is, if the source EVS of the snapshot and backup is an encrypted EVS, the EVS also has encryption properties.
For details about how to create an EVS, see Create EVS.
Unmount Encrypted EVS
If the encrypted EVS uses the user master key, please confirm whether the user master key of the EVS is available before unmounting.
· If the user master key of the encrypted EVS is available, the data will not be lost when the disk is unmounted, and the disk can be remounted normally.
· If the user master key of this encrypted EVS is not available, even if the EVS can still read and write normally, it cannot be guaranteed that the EVS will continue to be used normally, and it may cause a failure to remount. Therefore, users need to ensure the status of the user master key at any time before unmounting.
For details about how to unmount an EVS, see Unmount EVS.
Data Disk Encryption
The data disk can be purchased together with the ECS or separately. Whether the data disk is encrypted mainly involves the following scenarios:
Purchase Methods | Data Sources | Description |
Purchase data disk together with the ECS | Do not select data source | The blank data disk purchased with the ECS can be encrypted or not encrypted. The encryption properties cannot be changed after creation. |
Purchase the data disk separately | Do not select data source | The created blank data disk can be encrypted or not encrypted. The encryption properties cannot be changed after creation. |
Create from backup (backup source EVS encrypted) | The property of backup created through encrypted EVS is encrypted. The EVS created using an encrypted backup as the data source inherits the encryption properties and encryption keys of the backup. | |
Create from backup (backup source EVS unencrypted) | The property of backup created through unencrypted EVS is unencrypted. The EVS created using an unencrypted backup as the data source is unencrypted. | |
Create from snapshot (snapshot source EVS encrypted) | The property of snapshot created through encrypted EVS is encrypted. The EVS created using an encrypted snapshot as the data source inherits the encryption properties and encryption keys of the snapshot. | |
Create from snapshot (snapshot source EVS unencrypted) | The property of snapshot created through unencrypted EVS is unencrypted. The EVS created using an unencrypted snapshot as the data source is unencrypted. | |
Created from image (data disk images cannot be encrypted) | Only data disk image can be created for unencrypted EVS. The EVS created using an unencrypted image as the data source is unencrypted. |
Restrictions on Encrypting EVS
The following restrictions should also be noted when using encrypted EVS:
Item | Exemption |
EVS types that support encryption | General I/O, High I/O, General Purpose SSD, Ultra-high I/O. |
Other Restrictions | The encryption properties of the EVS cannot be modified after the EVS is created. |
EVS with disk mode of SCSI or FCSAN does not support encryption. | |
The shared disk does not support encryption. |