Encrypting Images

You can create encrypted images to securely store data.

To use image encryption, you must apply for KMS Administrator permissions.
An encrypted full-ECS image may contain multiple disks. The encryption status of each disk may be different. So, the encryption status of a full-ECS image is displayed as - in the image list.
An encrypted full-ECS image inherits the encryption status of each disk of the ECS used to create the image. The inherited status cannot be changed.
For how to check the encryption status of a disk in an encrypted full-ECS image, see How Do I Check the Encryption Status of a Disk in an Encrypted Full-ECS Image?
When you share an encrypted image with a user, ensure that the user has permissions for the key used to encrypt the image.

DEW must be enabled.
An image encrypted using the default key cannot be shared with other users.
Encrypted images cannot be published in KooGallery.
The system disk of an ECS created from an encrypted image is also encrypted, and its key is the same as the image key.
If an ECS has an encrypted system disk, private images created from the ECS are also encrypted.
The key used for encrypting an image cannot be changed.
If the key used for encrypting an image is disabled or deleted, the image is unavailable.
Encrypted full-ECS images cannot be replicated across regions.

You can create an encrypted image from an image file or an encrypted ECS.

Create an encrypted image from an image file.
When you register an image file as a private image, select KMS encryption and select a key. For details, see Creating a System Disk Image from an Image File.
Create an encrypted image from an encrypted ECS.
When you use an ECS to create a private image, if the system disk of the ECS is encrypted, the private image created from this ECS will also be encrypted. The key used for encrypting the image is the same as that used for encrypting the system disk. For details, see Creating a System Disk Image from an ECS.