Encrypt System Disk and Image

CDS

  • API Reference
    • Disk Related Interfaces
  • Dedicated Cluster Operation Guide
    • Charge
    • Create a dedicated cluster
    • Create Cloud Disk Server in Dedicated Cluster
    • Expand Dedicated Cluster
    • View Dedicated Cluster Information
    • What Is a Dedicated Cluster
  • Disk Operation Guide
    • Basic Operations
      • Create cloud disks
      • Disk encryption
        • Encrypt Data Disk and Snapshot
        • Encrypt System Disk and Image
        • Encryption Overview
      • Format cloud disks
        • Format Disk Partition on Linux System
        • Format Disk Partition on Windows System
        • Overview
      • Monitor alarm
      • mount Cloud Disk Server
      • Recycle bin
      • Release cloud disks
      • Tag Management
      • Unmount Cloud Disk Server
    • Billing management
      • Renew cloud disks
      • Shift Charge
    • Elastic Operations
      • Burst performance capability
      • Change cloud disk type
      • Performance preconfiguration
        • Use Performance Pre-Configuration
        • What Is Performance Pre-Configuration
      • Resize cloud disks
        • Expansion Overview
        • Extend Disk Partition on Linux Data Disk
        • Extend Disk Partition on Linux System Disk
        • Extend Disk Partition on Windows Data Disk
        • Extend Disk Partition on Windows System Disk
  • FAQs
    • Billing Problems
    • Common Questions Overview
    • Configuration-related questions
    • Fault-related questions
    • Performance-related questions
    • Security Problems
  • Peripheral Tools
    • CDSCMD Tool
      • Configure CDS CMD Tool
      • Install CDS CMD Tool
      • Operate Disk Using CDS CMD Tool
      • Overview
      • Tool Version History
  • Product Description
    • Application scenarios
    • Disk Status
    • Disk types
    • Product advantages
    • Product features
    • Product functions
    • Product Introduction
    • Type and Region
  • Product pricing
    • Disk charge type
      • Pay as you go
      • Subscription billing
    • Disk Expiration and Debt Reminder
    • Snapshot Charge Type
    • Universal Storage Capacity Package GSCP
  • Product Updates
    • Function Release Records
    • Product Announcement
      • Adjustments to prepay Disk renew, shift charge, and Unsubscribe Operations
  • Service Level Agreement (SLA)
    • Baidu Intelligent Cloud Block Storage Trusted Cloud
    • CDS Service Level Agreement (SLA V2_0)
  • Snapshot Operation Guide
    • Disk Snapshot
      • Automatic snapshot
      • Create a custom image
      • Create CDS disk from snapshot
      • Cross-region replication
      • Delete a snapshot
      • Manual Snapshot
      • Snapshot Rollback
      • Tag Management
    • Instance snapshots
      • Instance snapshots
    • Introduction to snapshot
      • Instructions for use
      • Snapshot chain
  • Typical Practices
    • Block Device Persistent Naming
All documents
menu
No results found, please re-enter

CDS

  • API Reference
    • Disk Related Interfaces
  • Dedicated Cluster Operation Guide
    • Charge
    • Create a dedicated cluster
    • Create Cloud Disk Server in Dedicated Cluster
    • Expand Dedicated Cluster
    • View Dedicated Cluster Information
    • What Is a Dedicated Cluster
  • Disk Operation Guide
    • Basic Operations
      • Create cloud disks
      • Disk encryption
        • Encrypt Data Disk and Snapshot
        • Encrypt System Disk and Image
        • Encryption Overview
      • Format cloud disks
        • Format Disk Partition on Linux System
        • Format Disk Partition on Windows System
        • Overview
      • Monitor alarm
      • mount Cloud Disk Server
      • Recycle bin
      • Release cloud disks
      • Tag Management
      • Unmount Cloud Disk Server
    • Billing management
      • Renew cloud disks
      • Shift Charge
    • Elastic Operations
      • Burst performance capability
      • Change cloud disk type
      • Performance preconfiguration
        • Use Performance Pre-Configuration
        • What Is Performance Pre-Configuration
      • Resize cloud disks
        • Expansion Overview
        • Extend Disk Partition on Linux Data Disk
        • Extend Disk Partition on Linux System Disk
        • Extend Disk Partition on Windows Data Disk
        • Extend Disk Partition on Windows System Disk
  • FAQs
    • Billing Problems
    • Common Questions Overview
    • Configuration-related questions
    • Fault-related questions
    • Performance-related questions
    • Security Problems
  • Peripheral Tools
    • CDSCMD Tool
      • Configure CDS CMD Tool
      • Install CDS CMD Tool
      • Operate Disk Using CDS CMD Tool
      • Overview
      • Tool Version History
  • Product Description
    • Application scenarios
    • Disk Status
    • Disk types
    • Product advantages
    • Product features
    • Product functions
    • Product Introduction
    • Type and Region
  • Product pricing
    • Disk charge type
      • Pay as you go
      • Subscription billing
    • Disk Expiration and Debt Reminder
    • Snapshot Charge Type
    • Universal Storage Capacity Package GSCP
  • Product Updates
    • Function Release Records
    • Product Announcement
      • Adjustments to prepay Disk renew, shift charge, and Unsubscribe Operations
  • Service Level Agreement (SLA)
    • Baidu Intelligent Cloud Block Storage Trusted Cloud
    • CDS Service Level Agreement (SLA V2_0)
  • Snapshot Operation Guide
    • Disk Snapshot
      • Automatic snapshot
      • Create a custom image
      • Create CDS disk from snapshot
      • Cross-region replication
      • Delete a snapshot
      • Manual Snapshot
      • Snapshot Rollback
      • Tag Management
    • Instance snapshots
      • Instance snapshots
    • Introduction to snapshot
      • Instructions for use
      • Snapshot chain
  • Typical Practices
    • Block Device Persistent Naming
  • Document center
  • arrow
  • CDS
  • arrow
  • Disk Operation Guide
  • arrow
  • Basic Operations
  • arrow
  • Disk encryption
  • arrow
  • Encrypt System Disk and Image
Table of contents on this page
  • Overview
  • Create an encrypted custom image
  • Creating Encrypted System Disks

Encrypt System Disk and Image

Updated at:2025-11-03

Overview

You can create an encrypted custom image, and the system disk of instances created from it will also be encrypted. Once the encrypted system disk is created, any new custom images or system disk snapshots derived from it will also be encrypted.

Create an encrypted custom image

1. Sign in to the Baidu AI Cloud official website

Sign in to Baidu AI Cloud official website.

  • If you have not registered an account, you must first [register an account](UserGuide/Register an account.md#Register a Baidu Account).
  • If you have registered an account, you can directly sign in.

2. Access the BCC console

Navigate to the BCC console by selecting "Baidu Cloud Compute > Baidu Cloud Compute (BCC)" in the left sidebar.

3. Enter the disk list

Click "Disk" on the left sidebar of the console page to view the disk list. Then click the "Create Image" button next to the System Disk to create an image for it.

image.png

4. Create an Encrypted Custom Image

After clicking "Create Image," enable the Encryption option to create an encrypted custom image. If enabling CDS Disk Encryption for the first time, you must authorize CDS to use your created KMS master keys and review KMS billing details. If the KMS service hasn’t been enabled, you’ll need to enable it first.

After enabling Disk Encryption, CDS will automatically retrieve your created KMS master keys within this region. If your master key does not appear in the drop-down menu, possible reasons include:

  • You have not created a KMS key yet. Please proceed to the KMS console to create one;
  • KMS is Region-specific. If you have not created a KMS key in this Region, please proceed to the KMS console to create one;
  • The KMS key type you created in this region is incompatible with associated disk encryption. Please create BAIDU_AES_256, AES_128, or AES_256 type keys.

image.png

5. Creation Completed

After clicking "Confirm," please wait a few minutes. During the image creation process, the System Disk will display an "Unavailable" status. Once the image creation is complete, the System Disk status will change to "Running," and you can click on "Image" in the left sidebar to view the image list.

image.png

Creating Encrypted System Disks

1. Sign in to the Baidu AI Cloud official website

Sign in to Baidu AI Cloud official website.

  • If you have not registered an account, you must first [register an account](UserGuide/Register an account.md#Register a Baidu Account).
  • If you have registered an account, you can directly sign in.

2. Access the BCC console

Navigate to the BCC console by selecting "Baidu Cloud Compute > Baidu Cloud Compute (BCC)" in the left sidebar.

3. Creating New BCC Cloud Compute

Click "Create Instance" at the top of the console page to create a new BCC Instance.

image.png

4. Create an Encrypted System Disk

Select "Image Type" as "Custom Image" and choose the created encrypted custom image. The new System Disk will automatically be encrypted and use the KMS master key associated with the encrypted custom image.

image.png

Note:

  • Encrypted System Disks cannot be changed to be non-encrypted after creation. Enable encryption with caution;
  • Snapshots of encrypted System Disks and new Custom Images created from them will be automatically encrypted and cannot be changed to a non-encrypted state;
  • Encrypted Images can currently only be created in Beijing; Guangzhou and Suzhou are not yet supported;
  • Encrypted system disks retain the KMS master key from their custom images and cannot be altered. Subsequent snapshots and custom images will continue to utilize the same KMS master key.

5. Creation Completed

Previous
Encrypt Data Disk and Snapshot
Next
Encryption Overview