User encryption refers to the process of using eSurfing Cloud products or other methods to encrypt elastic cloud server resources, thereby enhancing the security of the data.

EVS Encryption

eSurfing Cloud supports encryption for both system disks and data disks.

EVS Encryption feature: When creating an EVS, users can choose whether to encrypt the EVS. Once the EVS is created, the encryption attribute cannot be changed.

Cloud Server System Disk Encryption: When creating a cloud server, it supports setting up system disk encryption directly during creation.

Cloud Server Data Disk Encryption: When creating a cloud server, it supports setting up data disk encryption directly during creation.

EVS Encryption and Snapshots: Snapshots created from encrypted EVSs and EVSs created from these snapshots will automatically inherit the encryption feature attributes.

EVS Encryption and Backup: Backups created from encrypted EVSs and EVSs created from these backups will automatically inherit the encryption feature attributes.

Key Management

eSurfing Cloud uses the industry-standard AES-256 algorithm to encrypt your EVS data with a data key. The encryption key for the encrypted EVS is provided by eSurfing Cloud's self-developed Key Management Service (KMS). Users can easily create and manage keys to meet the needs for data encryption/decryption and digital signature verification, ensuring security and convenience.

KMS protects the security of keys by using a Hardware Security Module (HSM). All user keys are protected by the root key within the HSM, preventing key leakage. KMS performs access control and logging for all key operations, and provides records of all key usage, meeting audit and compliance requirements. Key management can easily meet the encryption and decryption needs for both small and large amounts of data.

How It Works

Before understanding the working principle of EVS encryption, it is first necessary to understand two concepts:

• Default Key (Default CMK): The service key automatically generated and managed under the user's account when the user first uses KMS for encryption through the corresponding cloud service.

• Customer Master Key (CMK): The Customer Master Key includes both symmetric and asymmetric keys, primarily used for encrypting and protecting data keys to generate envelopes, and can also be used directly to encrypt small amounts of data. Users can call the KMS API CreateKey to create a Customer Master Key (CMK).

Upon the first use of an encrypted EVS, the system will automatically create a Customer Master Key (CMK). This key is unique and is created within the corresponding region in KMS, and it is stored on the Key Management Service, which is protected by strict physical and logical security controls.

Each region's encrypted EVSs need to be encrypted through a 256-bit Data Key (DK). This Data Key (DK) has regional uniqueness, meaning that each region has and only has one. This key is protected by the key management infrastructure provided by KMS, effectively preventing unauthorized access. The Data Key (DK) for the EVS is only used in the memory of the host machine where the instance resides and is not stored in plaintext on any persistent medium (even the EVS itself).

After creating an encrypted EVS and mounting it to an instance, the following data will be associated with this key and encrypted:

• Static data on EVS

• Data transferred between the EVS and the instance (data within the instance's operating system is not encrypted)

• Snapshots created through encrypted EVS

Impact on Autoscaling

If an elastic cloud server with encryption is used to create an autoscaling configuration, the cloud servers created through the scaling configuration will maintain the same encryption method as the original cloud server.