vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/evs/umn/evs_01_0009.html
zhangyue d05287d5d6 EVS UMN DOC 
Reviewed-by: Miskanin, Jan <jan.miskanin@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>
2024-05-09 07:19:17 +00:00

151 lines
14 KiB
HTML
Raw Blame History

<a name="evs_01_0009"></a><a name="evs_01_0009"></a>
<h1 class="topictitle1">Managing Encrypted EVS Disks</h1>
<div id="body1505876939205"><div class="section" id="evs_01_0009__section1446219503182"><h4 class="sectiontitle">Encryption Scenarios</h4><ul id="evs_01_0009__ul207421721131918"><li id="evs_01_0009__li1574272116198"><strong id="evs_01_0009__b6454713124317">System disk encryption</strong><p id="evs_01_0009__p416310329224">System disks are created along with <span id="evs_01_0009__text293735011236">server</span>s and cannot be created separately. So whether a system disk is encrypted or not depends on the image selected during the <span id="evs_01_0009__text10688121112411">server</span> creation. See the following table for details.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="evs_01_0009__table1070734918448" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Encryption relationship between images and system disks</caption><thead align="left"><tr id="evs_01_0009__row3708174920448"><th align="left" class="cellrowborder" valign="top" width="20%" id="mcps1.3.1.2.1.3.2.4.1.1"><p id="evs_01_0009__p570854914415">Creating Server Using Encrypted Image</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="22%" id="mcps1.3.1.2.1.3.2.4.1.2"><p id="evs_01_0009__p8708124913440">Whether System Disk Will Be Encrypted</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="57.99999999999999%" id="mcps1.3.1.2.1.3.2.4.1.3"><p id="evs_01_0009__p20708164934416">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="evs_01_0009__row570824912446"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.1.2.1.3.2.4.1.1 "><p id="evs_01_0009__p570844910449">Yes</p>
</td>
<td class="cellrowborder" valign="top" width="22%" headers="mcps1.3.1.2.1.3.2.4.1.2 "><p id="evs_01_0009__p1270884954414">Yes</p>
</td>
<td class="cellrowborder" valign="top" width="57.99999999999999%" headers="mcps1.3.1.2.1.3.2.4.1.3 "><p id="evs_01_0009__p870864910448">For details, see <strong id="evs_01_0009__b4590728204817">Managing Private Images</strong> &gt; <strong id="evs_01_0009__b959012285484">Encrypting Images</strong> in the <em id="evs_01_0009__i10590202817485">Image Management Service User Guide</em>.</p>
</td>
</tr>
<tr id="evs_01_0009__row127081549194419"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.1.2.1.3.2.4.1.1 "><p id="evs_01_0009__p37081492448">No</p>
</td>
<td class="cellrowborder" valign="top" width="22%" headers="mcps1.3.1.2.1.3.2.4.1.2 "><p id="evs_01_0009__p7708174919443">No</p>
</td>
<td class="cellrowborder" valign="top" width="57.99999999999999%" headers="mcps1.3.1.2.1.3.2.4.1.3 "><p id="evs_01_0009__p137087495444">-</p>
</td>
</tr>
</tbody>
</table>
</div>
</li><li id="evs_01_0009__li13785183012192"><strong id="evs_01_0009__b1826811345118">Data disk encryption</strong><p id="evs_01_0009__p16367115283814">Data disks can be created along with servers or separately. Whether data disks are encrypted depends on their data sources. See the following table for details.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="evs_01_0009__table2366175163319" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Encryption relationship between backups, snapshots, images, and data disks</caption><thead align="left"><tr id="evs_01_0009__row143678517336"><th align="left" class="cellrowborder" valign="top" width="17.408259174082595%" id="mcps1.3.1.2.2.3.2.5.1.1"><p id="evs_01_0009__p167962214418">Created On</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="23.207679232076792%" id="mcps1.3.1.2.2.3.2.5.1.2"><p id="evs_01_0009__p1236712515332">Method of Creation</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="21.25787421257874%" id="mcps1.3.1.2.2.3.2.5.1.3"><p id="evs_01_0009__p13671851334">Whether Data Disk Will Be Encrypted</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="38.12618738126187%" id="mcps1.3.1.2.2.3.2.5.1.4"><p id="evs_01_0009__p33671354335">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="evs_01_0009__row1371614474388"><td class="cellrowborder" valign="top" width="17.408259174082595%" headers="mcps1.3.1.2.2.3.2.5.1.1 "><p id="evs_01_0009__p479122104111">The ECS console</p>
</td>
<td class="cellrowborder" valign="top" width="23.207679232076792%" headers="mcps1.3.1.2.2.3.2.5.1.2 "><p id="evs_01_0009__p57161747143819">Created together with the server</p>
</td>
<td class="cellrowborder" valign="top" width="21.25787421257874%" headers="mcps1.3.1.2.2.3.2.5.1.3 "><p id="evs_01_0009__p13717184711385">Yes/No</p>
</td>
<td class="cellrowborder" valign="top" width="38.12618738126187%" headers="mcps1.3.1.2.2.3.2.5.1.4 "><p id="evs_01_0009__p197171547203813">When a data disk is created together with a server, you can choose to encrypt the disk or not. For details, see <strong id="evs_01_0009__b17813642165614">Getting Started</strong> &gt; <strong id="evs_01_0009__b781454235612">Creating an ECS</strong> &gt; <strong id="evs_01_0009__b178142042125614">Step 1: Configure Basic Settings</strong> in the <em id="evs_01_0009__i5815154285617">Elastic Cloud Server User Guide</em>.</p>
</td>
</tr>
<tr id="evs_01_0009__row836715563310"><td class="cellrowborder" rowspan="6" valign="top" width="17.408259174082595%" headers="mcps1.3.1.2.2.3.2.5.1.1 "><p id="evs_01_0009__p1379192218412">The EVS console</p>
</td>
<td class="cellrowborder" valign="top" width="23.207679232076792%" headers="mcps1.3.1.2.2.3.2.5.1.2 "><p id="evs_01_0009__p1336714516334">No data source selected</p>
</td>
<td class="cellrowborder" valign="top" width="21.25787421257874%" headers="mcps1.3.1.2.2.3.2.5.1.3 "><p id="evs_01_0009__p93671053332">Yes/No</p>
</td>
<td class="cellrowborder" valign="top" width="38.12618738126187%" headers="mcps1.3.1.2.2.3.2.5.1.4 "><p id="evs_01_0009__p10197102311361">When an empty disk is created, you can choose whether to encrypt the disk or not. The encryption attribute of the disk cannot be changed after the disk has been created.</p>
</td>
</tr>
<tr id="evs_01_0009__row13676583316"><td class="cellrowborder" valign="top" headers="mcps1.3.1.2.2.3.2.5.1.1 "><p id="evs_01_0009__p153683516330">Creating from a backup</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.1.2.2.3.2.5.1.2 "><p id="evs_01_0009__p636814511332">Yes/No</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.1.2.2.3.2.5.1.3 "><ul id="evs_01_0009__ul10651201816557"><li id="evs_01_0009__li1065112184556">When a disk is created from a backup, you can choose whether to encrypt the disk or not. The encryption attributes of the disk and backup do not need to be the same.</li><li id="evs_01_0009__li1090514213553">When you create a backup for a system or data disk, the encryption attribute of the backup will be the same as that of the disk.</li></ul>
</td>
</tr>
<tr id="evs_01_0009__row1627483710429"><td class="cellrowborder" valign="top" headers="mcps1.3.1.2.2.3.2.5.1.1 "><p id="evs_01_0009__p12697184412216">Creating from a snapshot</p>
<p id="evs_01_0009__p182754374425">(The snapshot's source disk is encrypted.)</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.1.2.2.3.2.5.1.2 "><p id="evs_01_0009__p1427511376423">Yes</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.1.2.2.3.2.5.1.3 "><p id="evs_01_0009__p11275637184213">A snapshot created from an encrypted disk is also encrypted.</p>
</td>
</tr>
<tr id="evs_01_0009__row0208153618575"><td class="cellrowborder" valign="top" headers="mcps1.3.1.2.2.3.2.5.1.1 "><p id="evs_01_0009__p119441848429">Creating from a snapshot</p>
<p id="evs_01_0009__p202081936195711">(The snapshot's source disk is not encrypted.)</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.1.2.2.3.2.5.1.2 "><p id="evs_01_0009__p152084361575">No</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.1.2.2.3.2.5.1.3 "><p id="evs_01_0009__p5208203605714">A snapshot created from a non-encrypted disk is not encrypted.</p>
</td>
</tr>
<tr id="evs_01_0009__row186918613211"><td class="cellrowborder" valign="top" headers="mcps1.3.1.2.2.3.2.5.1.1 "><p id="evs_01_0009__p47511521722">Creating from an image</p>
<p id="evs_01_0009__p17692767216">(The image's source disk is encrypted.)</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.1.2.2.3.2.5.1.2 "><p id="evs_01_0009__p669217617212">Yes</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.1.2.2.3.2.5.1.3 "><p id="evs_01_0009__p196921061526">-</p>
</td>
</tr>
<tr id="evs_01_0009__row1765844010426"><td class="cellrowborder" valign="top" headers="mcps1.3.1.2.2.3.2.5.1.1 "><p id="evs_01_0009__p156582401421">Creating from an image</p>
<p id="evs_01_0009__p4193183814210">(The image's source disk is not encrypted.)</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.1.2.2.3.2.5.1.2 "><p id="evs_01_0009__p1165844034216">No</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.1.2.2.3.2.5.1.3 "><p id="evs_01_0009__p3658740114215">-</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="evs_01_0009__p1901239141014"></p>
</li></ul>
</div>
<div class="section" id="evs_01_0009__section1453575444118"><h4 class="sectiontitle">Constraints</h4>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="evs_01_0009__table10659018184214" frame="border" border="1" rules="all"><caption><b>Table 3 </b>Constraints on disk encryption</caption><thead align="left"><tr id="evs_01_0009__row56591618194213"><th align="left" class="cellrowborder" valign="top" width="31%" id="mcps1.3.2.2.2.3.1.1"><p id="evs_01_0009__p14660218184212">Item</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="69%" id="mcps1.3.2.2.2.3.1.2"><p id="evs_01_0009__p116607180423">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="evs_01_0009__row6660518114212"><td class="cellrowborder" valign="top" width="31%" headers="mcps1.3.2.2.2.3.1.1 "><p id="evs_01_0009__p56601018194213">Types of disks supporting encryption</p>
</td>
<td class="cellrowborder" valign="top" width="69%" headers="mcps1.3.2.2.2.3.1.2 "><p id="evs_01_0009__p1660131874214">All disk types</p>
</td>
</tr>
<tr id="evs_01_0009__row206601118164212"><td class="cellrowborder" valign="top" width="31%" headers="mcps1.3.2.2.2.3.1.1 "><p id="evs_01_0009__p766031874218">Constraints on encrypted disks</p>
</td>
<td class="cellrowborder" valign="top" width="69%" headers="mcps1.3.2.2.2.3.1.2 "><p id="evs_01_0009__p66601418154217">The encryption attribute of a disk cannot be changed after the disk is created, meaning that:</p>
<ul id="evs_01_0009__ul1065113567462"><li id="evs_01_0009__li1365112564465">An encrypted disk cannot be changed to a non-encrypted disk.</li><li id="evs_01_0009__li13451421194716">A non-encrypted disk cannot be changed to an encrypted disk.</li></ul>
</td>
</tr>
<tr id="evs_01_0009__row19233182612208"><td class="cellrowborder" valign="top" width="31%" headers="mcps1.3.2.2.2.3.1.1 "><p id="evs_01_0009__p20233112611209">Constraints on user permissions</p>
</td>
<td class="cellrowborder" valign="top" width="69%" headers="mcps1.3.2.2.2.3.1.2 "><p id="evs_01_0009__p196001926773">When a user uses the encryption function, the condition varies depending on whether the user is the first one ever in the current region or project to use this function.</p>
<ul id="evs_01_0009__ul8105271686"><li id="evs_01_0009__evs_01_0001_li8105175814">If the user is the first user, the user needs to follow the prompt to create an agency, which grants KMS Administrator permissions to EVS. Then the user can create and obtain keys to encrypt and decrypt disks.<div class="note" id="evs_01_0009__evs_01_0001_note13312201443"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="evs_01_0009__evs_01_0001_p10346201847">The first user must have the KMS Administrator permissions to create the agency. If the user does not have the KMS Administrator permissions, contact the account administrator to grant the permissions first.</p>
</div></div>
</li><li id="evs_01_0009__evs_01_0001_li410518712819">If the user is not the first user, the user can use encryption directly.</li></ul>
</td>
</tr>
<tr id="evs_01_0009__row166018187425"><td class="cellrowborder" valign="top" width="31%" headers="mcps1.3.2.2.2.3.1.1 "><p id="evs_01_0009__p4660191894219">Constraints on encrypted images</p>
</td>
<td class="cellrowborder" valign="top" width="69%" headers="mcps1.3.2.2.2.3.1.2 "><ul id="evs_01_0009__ul541713528475"><li id="evs_01_0009__li5417552134714">Encrypted images cannot be replicated across regions.</li><li id="evs_01_0009__li158163214812">Encrypted images cannot be changed to non-encrypted images.</li><li id="evs_01_0009__li1422844204913">Encrypted images cannot be exported.</li></ul>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="section" id="evs_01_0009__section909365011371"><h4 class="sectiontitle">Creating an Encrypted EVS Disk</h4><p id="evs_01_0009__p146495302155">Before you use the encryption function, KMS access rights need to be granted to EVS. If you have the Security Administrator permissions, grant the KMS access rights to EVS directly. If you do not have this permission, contact a user with the security administrator permissions to grant KMS access rights to EVS and then select the encryption option to create an encrypted disk.</p>
<p id="evs_01_0009__p663854212927">For details about how to create an encrypted disk, see <a href="en-us_topic_0021738346.html">Create an EVS Disk</a>.</p>
</div>
<div class="section" id="evs_01_0009__section54711302212445"><h4 class="sectiontitle">Detaching an Encrypted EVS Disk</h4><p id="evs_01_0009__p467721432313">Before you detach a disk encrypted by a CMK, check whether the CMK is disabled or scheduled for deletion.</p>
<ul id="evs_01_0009__ul214916308236"><li id="evs_01_0009__li4432174119236">If the CMK is available, the disk can be detached and re-attached, and data on the disk will not be lost.</li><li id="evs_01_0009__li21501630142311">If the CMK is unavailable, the disk can still be used, but there is no guarantee for how long it will be usable. If the disk is detached, it will be impossible to re-attach it later. In this case, do not detach the disk without a working CMK.</li></ul>
<p id="evs_01_0009__p14415194114592">The restoration method varies depending on the CMK status. For details, see <a href="https://docs.otc.t-systems.com/en-us/usermanual/evs/evs_01_0001.html" target="_blank" rel="noopener noreferrer">EVS Encryption</a>.</p>
<p id="evs_01_0009__p66047626212713">For details about how to detach an encrypted disk, see <a href="evs_01_0004.html">Detaching a Data Disk</a>.</p>
</div>
</div>
View Git Blame Copy Permalink