Encryption Overview

CDS

  • API Reference
    • Disk Related Interfaces
  • Dedicated Cluster Operation Guide
    • Charge
    • Create a dedicated cluster
    • Create Cloud Disk Server in Dedicated Cluster
    • Expand Dedicated Cluster
    • View Dedicated Cluster Information
    • What Is a Dedicated Cluster
  • Disk Operation Guide
    • Basic Operations
      • Create cloud disks
      • Disk encryption
        • Encrypt Data Disk and Snapshot
        • Encrypt System Disk and Image
        • Encryption Overview
      • Format cloud disks
        • Format Disk Partition on Linux System
        • Format Disk Partition on Windows System
        • Overview
      • Monitor alarm
      • mount Cloud Disk Server
      • Recycle bin
      • Release cloud disks
      • Tag Management
      • Unmount Cloud Disk Server
    • Billing management
      • Renew cloud disks
      • Shift Charge
    • Elastic Operations
      • Burst performance capability
      • Change cloud disk type
      • Performance preconfiguration
        • Use Performance Pre-Configuration
        • What Is Performance Pre-Configuration
      • Resize cloud disks
        • Expansion Overview
        • Extend Disk Partition on Linux Data Disk
        • Extend Disk Partition on Linux System Disk
        • Extend Disk Partition on Windows Data Disk
        • Extend Disk Partition on Windows System Disk
  • FAQs
    • Billing Problems
    • Common Questions Overview
    • Configuration-related questions
    • Fault-related questions
    • Performance-related questions
    • Security Problems
  • Peripheral Tools
    • CDSCMD Tool
      • Configure CDS CMD Tool
      • Install CDS CMD Tool
      • Operate Disk Using CDS CMD Tool
      • Overview
      • Tool Version History
  • Product Description
    • Application scenarios
    • Disk Status
    • Disk types
    • Product advantages
    • Product features
    • Product functions
    • Product Introduction
    • Type and Region
  • Product pricing
    • Disk charge type
      • Pay as you go
      • Subscription billing
    • Disk Expiration and Debt Reminder
    • Snapshot Charge Type
    • Universal Storage Capacity Package GSCP
  • Product Updates
    • Function Release Records
    • Product Announcement
      • Adjustments to prepay Disk renew, shift charge, and Unsubscribe Operations
  • Service Level Agreement (SLA)
    • Baidu Intelligent Cloud Block Storage Trusted Cloud
    • CDS Service Level Agreement (SLA V2_0)
  • Snapshot Operation Guide
    • Disk Snapshot
      • Automatic snapshot
      • Create a custom image
      • Create CDS disk from snapshot
      • Cross-region replication
      • Delete a snapshot
      • Manual Snapshot
      • Snapshot Rollback
      • Tag Management
    • Instance snapshots
      • Instance snapshots
    • Introduction to snapshot
      • Instructions for use
      • Snapshot chain
  • Typical Practices
    • Block Device Persistent Naming
All documents
menu
No results found, please re-enter

CDS

  • API Reference
    • Disk Related Interfaces
  • Dedicated Cluster Operation Guide
    • Charge
    • Create a dedicated cluster
    • Create Cloud Disk Server in Dedicated Cluster
    • Expand Dedicated Cluster
    • View Dedicated Cluster Information
    • What Is a Dedicated Cluster
  • Disk Operation Guide
    • Basic Operations
      • Create cloud disks
      • Disk encryption
        • Encrypt Data Disk and Snapshot
        • Encrypt System Disk and Image
        • Encryption Overview
      • Format cloud disks
        • Format Disk Partition on Linux System
        • Format Disk Partition on Windows System
        • Overview
      • Monitor alarm
      • mount Cloud Disk Server
      • Recycle bin
      • Release cloud disks
      • Tag Management
      • Unmount Cloud Disk Server
    • Billing management
      • Renew cloud disks
      • Shift Charge
    • Elastic Operations
      • Burst performance capability
      • Change cloud disk type
      • Performance preconfiguration
        • Use Performance Pre-Configuration
        • What Is Performance Pre-Configuration
      • Resize cloud disks
        • Expansion Overview
        • Extend Disk Partition on Linux Data Disk
        • Extend Disk Partition on Linux System Disk
        • Extend Disk Partition on Windows Data Disk
        • Extend Disk Partition on Windows System Disk
  • FAQs
    • Billing Problems
    • Common Questions Overview
    • Configuration-related questions
    • Fault-related questions
    • Performance-related questions
    • Security Problems
  • Peripheral Tools
    • CDSCMD Tool
      • Configure CDS CMD Tool
      • Install CDS CMD Tool
      • Operate Disk Using CDS CMD Tool
      • Overview
      • Tool Version History
  • Product Description
    • Application scenarios
    • Disk Status
    • Disk types
    • Product advantages
    • Product features
    • Product functions
    • Product Introduction
    • Type and Region
  • Product pricing
    • Disk charge type
      • Pay as you go
      • Subscription billing
    • Disk Expiration and Debt Reminder
    • Snapshot Charge Type
    • Universal Storage Capacity Package GSCP
  • Product Updates
    • Function Release Records
    • Product Announcement
      • Adjustments to prepay Disk renew, shift charge, and Unsubscribe Operations
  • Service Level Agreement (SLA)
    • Baidu Intelligent Cloud Block Storage Trusted Cloud
    • CDS Service Level Agreement (SLA V2_0)
  • Snapshot Operation Guide
    • Disk Snapshot
      • Automatic snapshot
      • Create a custom image
      • Create CDS disk from snapshot
      • Cross-region replication
      • Delete a snapshot
      • Manual Snapshot
      • Snapshot Rollback
      • Tag Management
    • Instance snapshots
      • Instance snapshots
    • Introduction to snapshot
      • Instructions for use
      • Snapshot chain
  • Typical Practices
    • Block Device Persistent Naming
  • Document center
  • arrow
  • CDS
  • arrow
  • Disk Operation Guide
  • arrow
  • Basic Operations
  • arrow
  • Disk encryption
  • arrow
  • Encryption Overview
Table of contents on this page
  • Overview
  • Functions
  • Encryption method
  • Encrypted data scope
  • Instance types supported
  • Usage restrictions

Encryption Overview

Updated at:2025-11-03

Overview

Disk Encryption is ideal for scenarios demanding data security or regulatory compliance, ensuring protection against theft or data leaks on Baidu AI Cloud Compute BCC. Enabling Disk Encryption secures data privacy and autonomy without requiring you to build or maintain key management infrastructure, thereby establishing secure boundaries for business data.

Functions

Disk Encryption employs the industry-standard AES-256 algorithm, encrypting Cloud Disk Servers using keys created in your Baidu AI Cloud Key Management Service (KMS). Cloud Disk Server encryption supports three KMS key types: BAIDU_AES_256, AES_128, and AES_256. Instance performance shows almost no degradation during Cloud Disk Server encryption/decryption.

Encryption method

If you hope to encrypt a Data Disk, enable Disk Encryption when creating a Baidu Cloud Compute (BCC) or Cloud Disk Server (CDS);
To encrypt a System Disk, you must first create an encrypted Custom Image, then create an encrypted System Disk.

  • If you have activated the KMS and created eligible Key types (BAIDU_AES_256, AES_128, and AES_256) in the same Region as KMS, you may directly use this KMS Key for Cloud Disk Server encryption;
  • If you have not activated KMS or haven't created eligible KMS key types in this Region, you need to first visit KMS Console to create keys;
  • When encrypting a Cloud Disk Server for the first time, you must authorize CDS to access and invoke keys stored in KMS. CDS will only access public KMS Customer Master Key (CMK) and cannot retrieve your encrypted disk data;
  • Disk Encryption does not incur additional fees, but the KMS will charge for Key custody. Additionally, KMS provides each user with a certain free call quota. When KMS calls exceed the free quota, KMS call fees will apply. For details, refer to KMS Billing Instructions;
  • Encryption/decryption operations are triggered automatically; no manual intervention is required during use;

Description:

  • When a Cloud Disk Server is encrypted with a specific CMK in KMS, all its data is encrypted using that Master Key and cannot be modified. Additionally, all snapshots (custom images) of the Cloud Disk Server and any new data or system disks generated from them will also associate with the CMK. The CMK is only used in the memory of the host machine where your BCC Instance resides and is not stored in plain text on any storage medium. CMKs are securely stored within the key management infrastructure provided by KMS, with robust physical and logical safeguards to prevent unauthorized access.

Encrypted data scope

When creating an encrypted disk and mounting it to a Baidu Cloud Compute, the following data will be encrypted:

  • Static data within this Cloud Disk Server;
  • Data transmitted between this Cloud Disk Server and the Instance;
  • All automatic and manual snapshots created by this Cloud Disk Server;
  • New Cloud Disk Servers generated from encrypted snapshots;

Instance types supported

  • All available Baidu Cloud Compute Instance Specifications are supported;
  • All available Cloud Disk Server types, including General Purpose SSD, High-Performance Cloud Disk, High-Throughput HDD, General-purpose HDD, and previous-generation Cloud Disk Servers, are supported; local disks are not supported;

Usage restrictions

The Cloud Disk Server's Encryption feature has the following limitations:

Restriction Type Description
Key Restrictions Currently, automatic creation of new KMS keys during Cloud Disk Server creation is not supported. You must first manually create a KMS key in the KMS console before creating an encrypted disk
Before the disk is released, it is not recommended to delete or disable the associated KMS key (KMS supports disabling or deleting KMS keys of associated services). Deleting or disabling KMS keys will render encrypted disks undecryptable, preventing disk mounting, Snapshot rollback, or creation of new CDS Cloud Disk Servers from snapshots. Proceed with caution
Once an encrypted Cloud Disk Server is created, all data including the encrypted disk itself, encrypted Snapshots created from it, encrypted Custom Images, new Cloud Disk Servers generated from encrypted snapshots, and new system disks created from encrypted custom images will be encrypted using the same KMS Key, which cannot be modified
State Change Restrictions Encrypted Cloud Disk Server cannot be converted to non-encrypted Cloud Disk Server
Encrypted Cloud Disk Server cannot be converted to non-encrypted Cloud Disk Server
Existing non-encrypted Snapshots created from non-encrypted Cloud Disks cannot be changed to encrypted Snapshots
Existing non-encrypted Snapshots created from non-encrypted Cloud Disks cannot be changed to encrypted Snapshots
Existing non-encrypted custom images cannot be converted to encrypted custom images
Existing encrypted custom images cannot be converted to non-encrypted custom images
Usage restrictions Encrypted Snapshots do not support cross-region replication
When creating Instance snapshots, if encrypted Cloud Disk Servers are included, their disk snapshots will be automatically encrypted
Local disk types do not support encryption
If encrypting a custom system disk image, associating a Data Disk during image creation is not supported; if associating a Data Disk during image creation, custom system disk image encryption is not supported
Region restrictions Currently, encryption is supported for Data Disks and Snapshots in North China-Beijing and South China-Guangzhou regions, while other regions are not yet supported
Currently, encryption is supported for System Disks and images in the North China-Beijing region, while other regions are not yet supported

Previous
Encrypt System Disk and Image
Next
Format cloud disks