vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/evs/umn/evs_01_0001.html
zhangyue d05287d5d6 EVS UMN DOC 
Reviewed-by: Miskanin, Jan <jan.miskanin@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>
2024-05-09 07:19:17 +00:00

162 lines
17 KiB
HTML
Raw Blame History

<a name="evs_01_0001"></a><a name="evs_01_0001"></a>
<h1 class="topictitle1">EVS Encryption</h1>
<div id="body1505872566368"><div class="section" id="evs_01_0001__section14109833104132"><h4 class="sectiontitle">What Is EVS Encryption?</h4><p id="evs_01_0001__p5767114314413">In case your services require encryption for the data stored on EVS disks, EVS provides you with the encryption function. You can encrypt newly created EVS disks.</p>
<p id="evs_01_0001__p135522595318">EVS uses the industry-standard XTS-AES-256 encryption algorithm and keys to encrypt EVS disks. Keys used by encrypted EVS disks are provided by the Key Management Service (KMS), which is secure and convenient. So you do not need to establish and maintain the key management infrastructure. KMS uses the Hardware Security Module (HSM) that complies with FIPS 140-2 level 3 requirements to protect keys. All user keys are protected by the root key in HSM to prevent key exposure.</p>
<p id="evs_01_0001__p44532316613"></p>
<div class="notice" id="evs_01_0001__note11941219101615"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><p id="evs_01_0001__p9214171713386">The encryption attribute of a disk cannot be changed after the disk is created.</p>
<p id="evs_01_0001__p663854212927">For details about how to create an encrypted disk, see <a href="en-us_topic_0021738346.html">Create an EVS Disk</a>.</p>
</div></div>
</div>
<div class="section" id="evs_01_0001__section17331463223115"><h4 class="sectiontitle">Keys Used for EVS Encryption</h4><div class="p" id="evs_01_0001__p44297599103525">Keys provided by KMS include a Default Master Key and Customer Master Keys (CMKs).<ul id="evs_01_0001__ul19537237173313"><li id="evs_01_0001__li38741344153312">Default Master Key: A key that is automatically created by EVS through KMS and named <strong id="evs_01_0001__b10486194865213">evs/default</strong>.<p id="evs_01_0001__p5874194483315">It cannot be disabled and does not support scheduled deletion.</p>
</li><li id="evs_01_0001__li10901124519340">CMKs: Keys created by users. You may use existing CMKs or create new CMKs to encrypt disks. For details, see <span class="menucascade" id="evs_01_0001__menucascade137031646666"><b><span class="uicontrol" id="evs_01_0001__uicontrol167031461467">Management</span></b> &gt; <b><span class="uicontrol" id="evs_01_0001__uicontrol1270394620614">Creating a CMK</span></b></span> in the <em id="evs_01_0001__i1670311461611">Key Management Service User Guide</em>.</li></ul>
</div>
<p id="evs_01_0001__p15626129143114">When an encrypted disk is attached, EVS accesses KMS, and KMS sends the data key (DK) to the host memory for use. The disk uses the DK plaintext to encrypt and decrypt disk I/Os. The DK plaintext is only stored in the memory of the host housing the ECS and is not stored persistently on the media. If a CMK is disabled or deleted in KMS, the disk encrypted using this CMK can still use the DK plaintext stored in the host memory. If this disk is later detached, the DK plaintext will be deleted from the memory, and data can no longer be read from or written to the disk. Before you re-attach this encrypted disk, ensure that the CMK is enabled.</p>
<div class="p" id="evs_01_0001__p1747318441415">If you use a CMK to encrypt disks and this CMK is then disabled or scheduled for deletion, data cannot be read from or written to these disks or may never be restored. See <a href="#evs_01_0001__table15423135384216">Table 1</a> for more information.
<div class="tablenoborder"><a name="evs_01_0001__table15423135384216"></a><a name="table15423135384216"></a><table cellpadding="4" cellspacing="0" summary="" id="evs_01_0001__table15423135384216" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Impact of CMK unavailability</caption><thead align="left"><tr id="evs_01_0001__row64230539421"><th align="left" class="cellrowborder" valign="top" width="21%" id="mcps1.3.2.4.2.2.4.1.1"><p id="evs_01_0001__p18423125312425">CMK Status</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="35%" id="mcps1.3.2.4.2.2.4.1.2"><p id="evs_01_0001__p15423453154211">Impact</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="44%" id="mcps1.3.2.4.2.2.4.1.3"><p id="evs_01_0001__p104231253114218">How to Restore</p>
</th>
</tr>
</thead>
<tbody><tr id="evs_01_0001__row114238537426"><td class="cellrowborder" valign="top" width="21%" headers="mcps1.3.2.4.2.2.4.1.1 "><p id="evs_01_0001__p8423155312427">Disabled</p>
</td>
<td class="cellrowborder" rowspan="3" valign="top" width="35%" headers="mcps1.3.2.4.2.2.4.1.2 "><ul id="evs_01_0001__ul7272244174918"><li id="evs_01_0001__li6728453296">For an encrypted disk already attached:<p id="evs_01_0001__p1518106202915"><a name="evs_01_0001__li6728453296"></a><a name="li6728453296"></a>Reads and writes to the disk are normal unless the disk is detached. Once detached, the disk cannot be attached again.</p>
</li><li id="evs_01_0001__li139183147294">For an encrypted disk not attached:<p id="evs_01_0001__p139581662917"><a name="evs_01_0001__li139183147294"></a><a name="li139183147294"></a>The disk cannot be attached anymore.</p>
</li></ul>
</td>
<td class="cellrowborder" valign="top" width="44%" headers="mcps1.3.2.4.2.2.4.1.3 "><p id="evs_01_0001__p247893525">Enable the CMK. For details, see <strong id="evs_01_0001__b971084618611">Managing CMKs</strong> &gt; <strong id="evs_01_0001__b1871018461661">Enabling One or More CMKs</strong> in the <em id="evs_01_0001__i17102046064">Key Management Service User Guide</em>.</p>
</td>
</tr>
<tr id="evs_01_0001__row194235535421"><td class="cellrowborder" valign="top" headers="mcps1.3.2.4.2.2.4.1.1 "><p id="evs_01_0001__p24231953104211">Scheduled deletion</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.2.4.2.2.4.1.2 "><p id="evs_01_0001__p1811015185215">Cancel the scheduled deletion for the CMK. For details, see <strong id="evs_01_0001__b20710846167">Managing CMKs</strong> &gt; <strong id="evs_01_0001__b7710246962">Canceling the Scheduled Deletion of One or More CMKs</strong> in the <em id="evs_01_0001__i147103461466">Key Management Service User Guide</em>.</p>
</td>
</tr>
<tr id="evs_01_0001__row84234536424"><td class="cellrowborder" valign="top" headers="mcps1.3.2.4.2.2.4.1.1 "><p id="evs_01_0001__p134239539426">Deleted</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.2.4.2.2.4.1.2 "><p id="evs_01_0001__p842375394216">Data on the disks can never be restored.</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div class="section" id="evs_01_0001__section195449474374"><h4 class="sectiontitle">Encryption Scenarios</h4><ul id="evs_01_0001__evs_01_0009_ul207421721131918"><li id="evs_01_0001__evs_01_0009_li1574272116198"><strong id="evs_01_0001__evs_01_0009_b6454713124317">System disk encryption</strong><p id="evs_01_0001__evs_01_0009_p416310329224">System disks are created along with <span id="evs_01_0001__evs_01_0009_text293735011236">server</span>s and cannot be created separately. So whether a system disk is encrypted or not depends on the image selected during the <span id="evs_01_0001__evs_01_0009_text10688121112411">server</span> creation. See the following table for details.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="evs_01_0001__evs_01_0009_table1070734918448" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Encryption relationship between images and system disks</caption><thead align="left"><tr id="evs_01_0001__evs_01_0009_row3708174920448"><th align="left" class="cellrowborder" valign="top" width="20%" id="mcps1.3.3.2.1.3.2.4.1.1"><p id="evs_01_0001__evs_01_0009_p570854914415">Creating Server Using Encrypted Image</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="22%" id="mcps1.3.3.2.1.3.2.4.1.2"><p id="evs_01_0001__evs_01_0009_p8708124913440">Whether System Disk Will Be Encrypted</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="57.99999999999999%" id="mcps1.3.3.2.1.3.2.4.1.3"><p id="evs_01_0001__evs_01_0009_p20708164934416">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="evs_01_0001__evs_01_0009_row570824912446"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.3.2.1.3.2.4.1.1 "><p id="evs_01_0001__evs_01_0009_p570844910449">Yes</p>
</td>
<td class="cellrowborder" valign="top" width="22%" headers="mcps1.3.3.2.1.3.2.4.1.2 "><p id="evs_01_0001__evs_01_0009_p1270884954414">Yes</p>
</td>
<td class="cellrowborder" valign="top" width="57.99999999999999%" headers="mcps1.3.3.2.1.3.2.4.1.3 "><p id="evs_01_0001__evs_01_0009_p870864910448">For details, see <strong id="evs_01_0001__evs_01_0009_b4590728204817">Managing Private Images</strong> &gt; <strong id="evs_01_0001__evs_01_0009_b959012285484">Encrypting Images</strong> in the <em id="evs_01_0001__evs_01_0009_i10590202817485">Image Management Service User Guide</em>.</p>
</td>
</tr>
<tr id="evs_01_0001__evs_01_0009_row127081549194419"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.3.2.1.3.2.4.1.1 "><p id="evs_01_0001__evs_01_0009_p37081492448">No</p>
</td>
<td class="cellrowborder" valign="top" width="22%" headers="mcps1.3.3.2.1.3.2.4.1.2 "><p id="evs_01_0001__evs_01_0009_p7708174919443">No</p>
</td>
<td class="cellrowborder" valign="top" width="57.99999999999999%" headers="mcps1.3.3.2.1.3.2.4.1.3 "><p id="evs_01_0001__evs_01_0009_p137087495444">-</p>
</td>
</tr>
</tbody>
</table>
</div>
</li><li id="evs_01_0001__evs_01_0009_li13785183012192"><strong id="evs_01_0001__evs_01_0009_b1826811345118">Data disk encryption</strong><p id="evs_01_0001__evs_01_0009_p16367115283814">Data disks can be created along with servers or separately. Whether data disks are encrypted depends on their data sources. See the following table for details.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="evs_01_0001__evs_01_0009_table2366175163319" frame="border" border="1" rules="all"><caption><b>Table 3 </b>Encryption relationship between backups, snapshots, images, and data disks</caption><thead align="left"><tr id="evs_01_0001__evs_01_0009_row143678517336"><th align="left" class="cellrowborder" valign="top" width="17.408259174082595%" id="mcps1.3.3.2.2.3.2.5.1.1"><p id="evs_01_0001__evs_01_0009_p167962214418">Created On</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="23.207679232076792%" id="mcps1.3.3.2.2.3.2.5.1.2"><p id="evs_01_0001__evs_01_0009_p1236712515332">Method of Creation</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="21.25787421257874%" id="mcps1.3.3.2.2.3.2.5.1.3"><p id="evs_01_0001__evs_01_0009_p13671851334">Whether Data Disk Will Be Encrypted</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="38.12618738126187%" id="mcps1.3.3.2.2.3.2.5.1.4"><p id="evs_01_0001__evs_01_0009_p33671354335">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="evs_01_0001__evs_01_0009_row1371614474388"><td class="cellrowborder" valign="top" width="17.408259174082595%" headers="mcps1.3.3.2.2.3.2.5.1.1 "><p id="evs_01_0001__evs_01_0009_p479122104111">The ECS console</p>
</td>
<td class="cellrowborder" valign="top" width="23.207679232076792%" headers="mcps1.3.3.2.2.3.2.5.1.2 "><p id="evs_01_0001__evs_01_0009_p57161747143819">Created together with the server</p>
</td>
<td class="cellrowborder" valign="top" width="21.25787421257874%" headers="mcps1.3.3.2.2.3.2.5.1.3 "><p id="evs_01_0001__evs_01_0009_p13717184711385">Yes/No</p>
</td>
<td class="cellrowborder" valign="top" width="38.12618738126187%" headers="mcps1.3.3.2.2.3.2.5.1.4 "><p id="evs_01_0001__evs_01_0009_p197171547203813">When a data disk is created together with a server, you can choose to encrypt the disk or not. For details, see <strong id="evs_01_0001__evs_01_0009_b17813642165614">Getting Started</strong> &gt; <strong id="evs_01_0001__evs_01_0009_b781454235612">Creating an ECS</strong> &gt; <strong id="evs_01_0001__evs_01_0009_b178142042125614">Step 1: Configure Basic Settings</strong> in the <em id="evs_01_0001__evs_01_0009_i5815154285617">Elastic Cloud Server User Guide</em>.</p>
</td>
</tr>
<tr id="evs_01_0001__evs_01_0009_row836715563310"><td class="cellrowborder" rowspan="6" valign="top" width="17.408259174082595%" headers="mcps1.3.3.2.2.3.2.5.1.1 "><p id="evs_01_0001__evs_01_0009_p1379192218412">The EVS console</p>
</td>
<td class="cellrowborder" valign="top" width="23.207679232076792%" headers="mcps1.3.3.2.2.3.2.5.1.2 "><p id="evs_01_0001__evs_01_0009_p1336714516334">No data source selected</p>
</td>
<td class="cellrowborder" valign="top" width="21.25787421257874%" headers="mcps1.3.3.2.2.3.2.5.1.3 "><p id="evs_01_0001__evs_01_0009_p93671053332">Yes/No</p>
</td>
<td class="cellrowborder" valign="top" width="38.12618738126187%" headers="mcps1.3.3.2.2.3.2.5.1.4 "><p id="evs_01_0001__evs_01_0009_p10197102311361">When an empty disk is created, you can choose whether to encrypt the disk or not. The encryption attribute of the disk cannot be changed after the disk has been created.</p>
</td>
</tr>
<tr id="evs_01_0001__evs_01_0009_row13676583316"><td class="cellrowborder" valign="top" headers="mcps1.3.3.2.2.3.2.5.1.1 "><p id="evs_01_0001__evs_01_0009_p153683516330">Creating from a backup</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.3.2.2.3.2.5.1.2 "><p id="evs_01_0001__evs_01_0009_p636814511332">Yes/No</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.3.2.2.3.2.5.1.3 "><ul id="evs_01_0001__evs_01_0009_ul10651201816557"><li id="evs_01_0001__evs_01_0009_li1065112184556">When a disk is created from a backup, you can choose whether to encrypt the disk or not. The encryption attributes of the disk and backup do not need to be the same.</li><li id="evs_01_0001__evs_01_0009_li1090514213553">When you create a backup for a system or data disk, the encryption attribute of the backup will be the same as that of the disk.</li></ul>
</td>
</tr>
<tr id="evs_01_0001__evs_01_0009_row1627483710429"><td class="cellrowborder" valign="top" headers="mcps1.3.3.2.2.3.2.5.1.1 "><p id="evs_01_0001__evs_01_0009_p12697184412216">Creating from a snapshot</p>
<p id="evs_01_0001__evs_01_0009_p182754374425">(The snapshot's source disk is encrypted.)</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.3.2.2.3.2.5.1.2 "><p id="evs_01_0001__evs_01_0009_p1427511376423">Yes</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.3.2.2.3.2.5.1.3 "><p id="evs_01_0001__evs_01_0009_p11275637184213">A snapshot created from an encrypted disk is also encrypted.</p>
</td>
</tr>
<tr id="evs_01_0001__evs_01_0009_row0208153618575"><td class="cellrowborder" valign="top" headers="mcps1.3.3.2.2.3.2.5.1.1 "><p id="evs_01_0001__evs_01_0009_p119441848429">Creating from a snapshot</p>
<p id="evs_01_0001__evs_01_0009_p202081936195711">(The snapshot's source disk is not encrypted.)</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.3.2.2.3.2.5.1.2 "><p id="evs_01_0001__evs_01_0009_p152084361575">No</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.3.2.2.3.2.5.1.3 "><p id="evs_01_0001__evs_01_0009_p5208203605714">A snapshot created from a non-encrypted disk is not encrypted.</p>
</td>
</tr>
<tr id="evs_01_0001__evs_01_0009_row186918613211"><td class="cellrowborder" valign="top" headers="mcps1.3.3.2.2.3.2.5.1.1 "><p id="evs_01_0001__evs_01_0009_p47511521722">Creating from an image</p>
<p id="evs_01_0001__evs_01_0009_p17692767216">(The image's source disk is encrypted.)</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.3.2.2.3.2.5.1.2 "><p id="evs_01_0001__evs_01_0009_p669217617212">Yes</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.3.2.2.3.2.5.1.3 "><p id="evs_01_0001__evs_01_0009_p196921061526">-</p>
</td>
</tr>
<tr id="evs_01_0001__evs_01_0009_row1765844010426"><td class="cellrowborder" valign="top" headers="mcps1.3.3.2.2.3.2.5.1.1 "><p id="evs_01_0001__evs_01_0009_p156582401421">Creating from an image</p>
<p id="evs_01_0001__evs_01_0009_p4193183814210">(The image's source disk is not encrypted.)</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.3.2.2.3.2.5.1.2 "><p id="evs_01_0001__evs_01_0009_p1165844034216">No</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.3.2.2.3.2.5.1.3 "><p id="evs_01_0001__evs_01_0009_p3658740114215">-</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="evs_01_0001__evs_01_0009_p1901239141014"></p>
</li></ul>
</div>
<div class="section" id="evs_01_0001__section4401454411508"><h4 class="sectiontitle">Who Can Use the Encryption Function?</h4><p id="evs_01_0001__p196001926773">When a user uses the encryption function, the condition varies depending on whether the user is the first one ever in the current region or project to use this function.</p>
<ul id="evs_01_0001__ul8105271686"><li id="evs_01_0001__li8105175814">If the user is the first user, the user needs to follow the prompt to create an agency, which grants KMS Administrator permissions to EVS. Then the user can create and obtain keys to encrypt and decrypt disks.<div class="note" id="evs_01_0001__note13312201443"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="evs_01_0001__p10346201847">The first user must have the KMS Administrator permissions to create the agency. If the user does not have the KMS Administrator permissions, contact the account administrator to grant the permissions first.</p>
</div></div>
</li><li id="evs_01_0001__li410518712819">If the user is not the first user, the user can use encryption directly.</li></ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="evs_01_0119.html">Overview</a></div>
</div>
</div>
View Git Blame Copy Permalink