tencent cloud


Cloud Disk Encryption

Last updated: 2023-12-21 14:26:45
    To encrypt the data stored in a cloud disk, you can enable the cloud disk encryption feature, provided by Tencent Cloud Key Management Service (KMS) instructed in Product Overview.
    This feature is currently in beta test. To use it, contact us.

    Key Management

    Tencent Cloud encrypts data in your cloud disks using a data encryption key based on the standard AES-256 algorithm. When you use cloud disk encryption for the first time, the system automatically creates a customer master key (CMK) that allows you to use the cloud disk encryption feature in the corresponding region in the KMS. Only one CMK is automatically created and stored in the KMS, which is protected by strict physical and logical security controls. In each region, a unique 256-bit data key (DK) is used to encrypt the cloud disk. Snapshots created through encrypted cloud disks and encrypted cloud disks created through encrypted snapshots are all associated with this DK. The DK is protected by the key management infrastructure provided by KMS, which effectively blocks unauthorized access. The DK of a cloud disk is used only in the memory of the host where the instance resides, and is not stored in any persistent medium (including the cloud disk itself) in a plaintext form.

    How it Works

    When you configure your cloud disk as encrypted, the KMS encrypts the data and automatically decrypts it during the read operation. The encryption and decryption processes are performed on the host where the CVM instance resides, with minimal impact on the read and write performance of the cloud disk. To test the performance of cloud disks, refer to Measuring Cloud Disk Performance.
    Once the encrypted cloud disk is created and attached to the instance, the system encrypts the following data:
    Static data in the cloud disk;
    Data transmitted between the cloud disk and instance (data in the operating system of the instance is not encrypted);
    All snapshots created through encrypted cloud disks;


    The cloud disk encryption feature is subject to the following limitations:
    Cloud disk limitations
    All types of cloud disks can be encrypted, regardless of type of associated instance.
    Only cloud disks can be encrypted, not local disks.
    Only data disks can be encrypted, not system disks .
    An existing non-encrypted disk cannot be directly converted to an encrypted disk.
    An encrypted cloud disk cannot be converted to a non-encrypted cloud disk.
    To recognize the new capacity of an expanded encrypted cloud disk, you need to uninstall it and reattached it to the CVM.
    An encrypted cloud disk cannot be attached to an instance with local storage.
    Snapshots and images limitations
    A snapshot generated by an existing non-encrypted disk cannot be directly converted to an encrypted snapshot.
    An encrypted snapshot cannot be converted to a non-encrypted snapshot.
    An image with an encrypted snapshot cannot be shared.
    The encrypted snapshot and images created by it cannot be replicated across regions.
    Other Limitations
    The cloud disk encryption feature relies on the KMS in the same region. If you have no other operation requests, you do not need to perform additional operations in the KMS console.
    When you use the cloud disk encryption feature for the first time, you must activate KMS as instructed on the page. Otherwise, you cannot purchase the encrypted cloud disk.
    You can query the CMK created specifically by the system for cloud disk encryption in KMS console, but you cannot specify, delete, or change the CMK.


    Cloud disk encryption, CMK, and reads/writes of cloud disk data do not incur additional charges. When you manage the encrypted cloud disk either in the console or through an API, however, KMS is used as an API and your management operation will be counted as a KMS call in this region. You will be billed based on the number of KMS calls. For details, see Billing Overview.
    Management operations on an encrypted cloud disk include:
    Create an encrypted cloud disk
    Attach a cloud disk
    Detach a cloud disk
    Create a snapshot
    Roll back a snapshot
    Make sure you have sufficient account balance, otherwise the operation will fail.

    Creating an encrypted cloud disk

    You can create an encrypted cloud disk through the following three methods:
    Creating in the console
    Creating from a snapshot
    Creating Using an API
    1. Log in to the CBS console, select a region, and click Create.
    2. In the Purchase data disk dialog box, select Enable disk encryption.
    If you are using cloud disk encryption in this region for the first time, you need to get the authorization for KMS first.
    3. Select the cloud disk configuration based on your actual needs and click Ok.
    4. Once you have purchased the cloud disk, you can view encrypted cloud disks that have already been created on the Cloud disk list page. The new encrypted cloud disk is in to be attached status, you can refer to Attaching Cloud Disks to attach the cloud disk to a CVM instance in the same availability zone.
    You can select an encrypted snapshot to create a cloud disk. The cloud disk created in this way is encrypted automatically. For more information, see Creating Cloud Disks Using Snapshots.
    You can create an encrypted cloud disk by using the CreateDisks API. The following two methods are supported.
    Configure Encrypt as true.
    Specify a SnapshotId for the encrypted snapshot.

    Changing Data Encryption Status

    To change the status of existing data in the cloud disk from non-encrypted to encrypted, we recommend you run the rsync command in Linux system or the robocopy command in Windows system to copy the data from the non-encrypted disk to the new encrypted disk.
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support