The encryption of the system hard disk (OS Disk) is now available in EU-DE region. In addition to the existing functionality of encrypting data disks, this feature will enable you to encrypt the ECS system disk. The service uses industrial standard AES-256 encryption and therefore complies with the highest data security standards. The encryption can be conveniently configured via the Open Telekom Cloud Console and APIs*, as it uses the Key Management Service (KMS) for encrypting the hard disks. We will release this feature approximately within the first quarter of 2022 in the NL region as well.
Below is a small description about the current behavior of the system disk encryption functionality:
- You can activate the encryption option during the ECS provisioning process or use an already encrypted image
- An encrypted image (using an encrypted system disk) of a VM cannot be converted to an unencrypted image
- In order to encrypt the system disk, you can use the KMS Default Master Key (evs/default) or a Customer Master Key (CMK).
- To enable EVS encryption, the respective KMS access permissions must be enabled for the EVS in your region.
- Encrypted images cannot be shared.
- Third-party tools such as Terraform are already supported.
*Currently only available for our recommended API.
**Deleting a CMK will affect the ECS disc used, which will then no longer be available after detaching.
***See the documentation in EVS section "Who Can Use the Disk Encryption Feature?".
For the administration and creation of encrypted images (e.g. Managing an Encrypted EVS Disk), see the documentation in the EVS section.
For the administration of keys (e.g. Managing CMKs), see the documentation in the KMS section.
For the administration of encrypted images (e.g. "Creating Encrypted Images"), see the documentation in the IMS section.
Further information (e.g. "EVS Disk Encryption") can be found in the ECS area of the Help Center.