Encrypting a disk

1. Create a Yandex Key Management Service encryption key. For more information, see Encryption in Compute Cloud.

2. Create an image of the disk you want to encrypt.

3. Create an encrypted disk from the image:

   Management console

   1. In the management console, select the folder where you want to create an encrypted disk.

   2. Select Compute Cloud.

   3. In the left-hand panel, select Disks.

   4. Click Create disk.

   5. Enter a name for the disk.

      • It must be from 2 to 63 characters long.
      • It may contain lowercase Latin letters, numbers, and hyphens.
      • It must start with a letter and cannot end with a hyphen.

   6. Select the same availability zone that contained the source disk.

   7. Set the disk parameters, such as disk type, block size, and disk size.

   8. In the Contents field, select Image and then select the image you created earlier from the list below. Use the filter to find the image.

   9. Optionally, under Encryption:

      • Select Encrypted disk.
      • In the KMS key field, select the key you created earlier. To create a new key, click Create.

      To create an encrypted disk, you need the kms.keys.user role or higher.

      Warning

      You can specify encryption settings only when creating a disk. You cannot disable or change disk encryption. You also cannot enable encryption for an existing disk.

      If you deactivate the key used to encrypt a disk, image, or snapshot, access to the data will be suspended until you reactivate the key.

      Alert

      If you destroy the key or its version used to encrypt a disk, image, or snapshot, access to the data will be irrevocably lost. For details, see Destroying key versions.

   10. Click Create disk.

   Once created, the disk will get the Creating status. Wait until the disk status changes to Ready before using it.

4. Delete the image.

5. Delete the unencrypted disk.

See alsoSee also

• Encryption in Compute Cloud
• Encrypting an image