Encryption in Compute Cloud
By default, all data on Compute Cloud disks is encrypted at the storage database level using a system key. This protects your data from being compromised in the event of a physical theft of disks from Yandex Cloud data centers. For more information, see Data protection.
We also recommend encrypting disks, snapshots, and images using custom Yandex Key Management Service symmetric keys. This approach allows you to:
- Protect yourself against potential threats of isolation breach and data compromise at the virtual infrastructure level.
- Control and manage the encryption and lifecycle of KMS keys. See Key management.
- Improve data access control for your disk by requiring permissions for KMS keys. See Configuring access permissions for a symmetric encryption key.
- Follow encryption and decryption operations performed using your KMS key with the help of Yandex Audit Trails. See Key usage audit.
You can encrypt the following types of disks:
- Network SSD (
network-ssd) - Network HDD (
network-hdd) - Non-replicated SSD (
network-ssd-nonreplicated) - Ultra high-speed network storage with three replicas (SSD) (
network-ssd-io-m3)
For more details, see Disk types.
Warning
You can specify encryption settings only when creating a disk. You cannot disable or change disk encryption. You also cannot enable encryption for an existing disk.
In Compute Cloud, encryption is available from the management console, CLI, and API.
Encryption options
The table below lists the methods you can use to create encrypted Compute Cloud resources and some features of KMS keys:
| Target resource | Source resource | Key | Note |
|---|---|---|---|
| Empty encrypted disk | — | Any | See Creating an empty disk. |
| Encrypted disk | Unencrypted image | Any | See Recovering a disk from an image. You can also use an image toencrypt existing disks and snapshots. |
| Encrypted disk | Encrypted image | Image key | See Recovering a disk from an image.You can also use an encryptedimage to create a copy ofan encrypted disk. |
| Encrypted disk | Unencrypted snapshot | Any | See Recovering a disk from a snapshot. |
| Encrypted disk | Encrypted snapshot | Snapshot key | See Recovering a disk from a snapshot. |
| Encrypted image | Encrypted disk | Disk key | See Creating an image from a disk. |
| Encrypted snapshot | Encrypted disk | Disk key | See Creating a disk snapshot. |
Using custom keys
By using custom KMS keys for disk and snapshot encryption, you can achieve more granular control over access to encrypted data: create custom keys for specific users or tasks, timely deactivate or delete specific keys.
If you deactivate the key used to encrypt a disk, image, or snapshot, access to the data will be suspended until you reactivate the key.
Alert
If you destroy the key or its version used to encrypt a disk, image, or snapshot, access to the data will be irrevocably lost. For details, see Destroying key versions.
To use encryption in Compute Cloud, the user must have the kms.keys.user or kms.admin role for the key used for encryption. These roles enable you to do the following:
- Create an encrypted disk.
- Create a VM with an encrypted disk.
- Attach an encrypted disk to an existing VM.
- Start and restart a VM with an encrypted disk.
For more information, see Access management.