To encrypt the data stored in a cloud disk, you can enable the cloud disk encryption feature, provided by Tencent Cloud Key Management Service (KMS) instructed in Product Overview.
This feature is currently in beta test. To use it, contact us.
Tencent Cloud encrypts data in your cloud disks using a data encryption key based on the standard AES-256 algorithm. When you use cloud disk encryption for the first time, the system automatically creates a customer master key (CMK) that allows you to use the cloud disk encryption feature in the corresponding region in the KMS. Only one CMK is automatically created and stored in the KMS, which is protected by strict physical and logical security controls.
In each region, a unique 256-bit data key (DK) is used to encrypt the cloud disk. Snapshots created through encrypted cloud disks and encrypted cloud disks created through encrypted snapshots are all associated with this DK. The DK is protected by the key management infrastructure provided by KMS, which effectively blocks unauthorized access. The DK of a cloud disk is used only in the memory of the host where the instance resides, and is not stored in any persistent medium (including the cloud disk itself) in a plaintext form.
When you configure your cloud disk as encrypted, the KMS encrypts the data and automatically decrypts it during the read operation. The encryption and decryption processes are performed on the host where the CVM instance resides, with minimal impact on the read and write performance of the cloud disk. To test the performance of cloud disks, refer to Measuring Cloud Disk Performance.
Once the encrypted cloud disk is created and attached to the instance, the system encrypts the following data:
The cloud disk encryption feature is subject to the following limitations:
|Cloud disk limitations||
|Snapshots and images limitations||
Cloud disk encryption, CMK, and reads/writes of cloud disk data do not incur additional charges. When you manage the encrypted cloud disk either in the console or through an API, however, KMS is used as an API and your management operation will be counted as a KMS call in this region. You will be billed based on the number of KMS calls. For details, see Billing Overview.
Management operations on an encrypted cloud disk include:
Make sure you have sufficient account balance, otherwise the operation will fail.
You can create an encrypted cloud disk through the following three methods:
If you are using cloud disk encryption in this region for the first time, you need to get the authorization for KMS first.
You can select an encrypted snapshot to create a cloud disk. The cloud disk created in this way is encrypted automatically. For more information, see Creating Cloud Disks Using Snapshots.
You can create an encrypted cloud disk by using the CreateDisks API. The following two methods are supported.
SnapshotIdfor the encrypted snapshot.
To change the status of existing data in the cloud disk from non-encrypted to encrypted, we recommend you run the
rsync command in Linux system or the
robocopy command in Windows system to copy the data from the non-encrypted disk to the new encrypted disk.
If you need to change the status of existing data in the cloud disk from encrypted to non-encrypted, we recommend you run the same commands to copy the data from the encrypted disk to the new non-encrypted disk.