Encryption in Compute Cloud
By default, all data on Compute Cloud disks is encrypted at the storage database level using a system key. This protects your data from compromise in the event of physical disk theft from Yandex Cloud data centers. For more information, see Data protection.
We also recommend encrypting disks and disk snapshots using Yandex Key Management Service custom symmetric keys. This approach allows you to:
- Protect yourself against potential threats of isolation breach and data compromise at the virtual infrastructure level.
- Control the encryption and lifecycle of KMS keys and manage the keys, see Key management.
- Put the data on your disk under improved access control by setting permissions for KMS keys, see Configuring access permissions for a symmetric encryption key.
- Track encryption and decryption operations performed using your KMS key with the help of Yandex Audit Trails, see Key usage audit.
The encryption feature in Compute Cloud is currently at the Preview stage. To access it, open the resource creation page and click Request access under Encryption or contact support.
You can encrypt the following types of disks:
- Network SSD (
network-ssd) - Network HDD (
network-hdd) - Non-replicated SSD (
network-ssd-nonreplicated) - Ultra high-speed network storage with three replicas (SSD) (
network-ssd-io-m3).
For more details, see Disk types.
In Compute Cloud, encryption is available from the management console.
Encryption options
The options available when creating encrypted Compute Cloud resources and some aspects of using KMS keys are presented in the table:
| Target resource | Source resource | Key | Note |
|---|---|---|---|
| Empty encrypted disk | — | Any | See Creating an empty disk. |
| Encrypted disk | Unencrypted image | Any | See Recovering a disk from an image. You can also use an image toencrypt existing disks and snapshots. |
| Encrypted disk | Encrypted snapshot | Snapshot key | See Recovering a disk from a snapshot. |
| Encrypted snapshot | Encrypted disk | Disk key | See Creating a disk snapshot. |
The following additional encryption options will be implemented in Compute Cloud later:
| Target resource | Source resource | Key | Note |
|---|---|---|---|
| Encrypted disk | Encrypted image | Image key | See Recovering a disk from an image.You can also use an encryptedimage to create a copy ofan encrypted disk. |
| Encrypted disk | Unencrypted snapshot | Any | See Recovering a disk from a snapshot. |
| Encrypted image | Encrypted disk | Disk key | See Creating an image from a disk. |
Using custom keys
By using custom KMS keys for disk and snapshot encryption, you can achieve more granular control over access to encrypted data: create custom keys for specific users or tasks, timely deactivate or delete specific keys.
If you deactivate the key used to encrypt a disk or snapshot, access to the data will be suspended until you reactivate the key.
Alert
If you destroy the key or its version used to encrypt a disk or snapshot, access to the data will be irrevocably lost. Learn more in Destroying key versions.
For a VM to have access to an encrypted disk, attach to it a service account with the kms.keys.encrypterDecrypter role. Note that you can attach two types of service accounts to a VM:
- Service account to work with cloud resources from inside the VM, e.g., to deliver metrics to Yandex Monitoring, send logs to Yandex Cloud Logging, or connect to Yandex Cloud Backup. This service account is specified in the access parameter section.
- Service account to access encrypted disks. This service account is specified in the disk parameter section.
To use encryption in Compute Cloud, the user must have the following roles:
iam.serviceAccounts.useror a higher role for the service account used for encryption. For more information, see Yandex Identity and Access Management roles.kms.vieweror a higher role for the key used for encryption. For more information, see Yandex Key Management Service roles.