Encryption in Compute Cloud
By default, all data on Compute Cloud disks is encrypted at the storage database level using a system key. This protects your data from being compromised in the event of a physical theft of disks from Yandex Cloud data centers. For more information, see Data protection.
We also recommend encrypting disks, snapshots, and images using custom Yandex Key Management Service symmetric keys. This approach allows you to:
- Protect yourself against potential threats of isolation breach and data compromise at the virtual infrastructure level.
- Control and manage the encryption and lifecycle of KMS keys. See Key management.
- Improve data access control for your disk by requiring permissions for KMS keys. See Configuring access permissions for a symmetric encryption key.
- Follow encryption and decryption operations performed using your KMS key with the help of Yandex Audit Trails. See Key usage audit.
You can encrypt the following types of disks:
- Network SSD (
network-ssd
) - Network HDD (
network-hdd
) - Non-replicated SSD (
network-ssd-nonreplicated
) - Ultra high-speed network storage with three replicas (SSD) (
network-ssd-io-m3
)
For more details, see Disk types.
Warning
You can specify encryption settings only when creating a disk. You cannot disable or change disk encryption.
In Compute Cloud, encryption is available from the management console
Encryption options
The options available when creating encrypted Compute Cloud resources and some aspects of using KMS keys are presented in the table:
Target resource | Source resource | Key | Note |
---|---|---|---|
Empty encrypted disk | — | Any | See Creating an empty disk. |
Encrypted disk | Unencrypted image | Any | See Recovering a disk from an image. You can also use an image toencrypt existing disks and snapshots. |
Encrypted disk | Encrypted snapshot | Snapshot key | See Recovering a disk from a snapshot. |
Encrypted snapshot | Encrypted disk | Disk key | See Creating a disk snapshot. |
The following additional encryption options will be implemented in Compute Cloud later:
Target resource | Source resource | Key | Note |
---|---|---|---|
Encrypted disk | Encrypted image | Image key | See Recovering a disk from an image.You can also use an encryptedimage to create a copy ofan encrypted disk. |
Encrypted disk | Unencrypted snapshot | Any | See Recovering a disk from a snapshot. |
Encrypted image | Encrypted disk | Disk key | See Creating an image from a disk. |
Using custom keys
By using custom KMS keys for disk and snapshot encryption, you can achieve more granular control over access to encrypted data: create custom keys for specific users or tasks, timely deactivate or delete specific keys.
If you deactivate the key used to encrypt a disk, image, or snapshot, access to the data will be suspended until you reactivate the key.
Alert
If you destroy the key or its version used to encrypt a disk, image, or snapshot, access to the data will be irrevocably lost. Learn more in Destroying key versions.
For a VM to have access to an encrypted disk, attach to it a service account with the kms.keys.encrypterDecrypter
role. Note that you can attach two types of service accounts to a VM:
- Service account to work with cloud resources from inside the VM, e.g., to deliver metrics to Yandex Monitoring, send logs to Yandex Cloud Logging, or connect to Yandex Cloud Backup. This service account is specified in the access parameter section.
- Service account to access encrypted disks. This service account is specified in the disk parameter section.
To use encryption in Compute Cloud, the user must have the following roles:
iam.serviceAccounts.user
or higher for the service account used for encryption. For more information, see Yandex Identity and Access Management roles.kms.viewer
or higher for the key used for encryption. For more information, see Yandex Key Management Service roles.