diff --git a/.changelog/3395.txt b/.changelog/3395.txt
new file mode 100644
index 0000000000..6b8ba0c696
--- /dev/null
+++ b/.changelog/3395.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/tencentcloud_cbs_storage: support `encrypt_type`
+```
diff --git a/tencentcloud/services/cbs/resource_tc_cbs_storage.go b/tencentcloud/services/cbs/resource_tc_cbs_storage.go
index 8847a3887f..2b289138f2 100644
--- a/tencentcloud/services/cbs/resource_tc_cbs_storage.go
+++ b/tencentcloud/services/cbs/resource_tc_cbs_storage.go
@@ -137,6 +137,13 @@ func ResourceTencentCloudCbsStorage() *schema.Resource {
 				Computed:    true,
 				Description: "Whether to enable performance burst when creating a cloud disk.",
 			},
+			"encrypt_type": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				ForceNew:    true,
+				Computed:    true,
+				Description: "Specifies the cloud disk encryption type. The values are `ENCRYPT_V1` and `ENCRYPT_V2`, which represent the first-generation and second-generation encryption technologies respectively. The two encryption technologies are incompatible with each other. It is recommended to use the second-generation encryption technology `ENCRYPT_V2` first. The first-generation encryption technology is only supported on some older models. This parameter is only valid when creating an encrypted cloud disk.",
+			},
 			// computed
 			"storage_status": {
 				Type:        schema.TypeString,
@@ -227,6 +234,10 @@ func resourceTencentCloudCbsStorageCreate(d *schema.ResourceData, meta interface
 		request.BurstPerformance = helper.Bool(v.(bool))
 	}
 
+	if v, ok := d.GetOkExists("encrypt_type"); ok {
+		request.EncryptType = helper.String(v.(string))
+	}
+
 	storageId := ""
 	err := resource.Retry(tccommon.WriteRetryTimeout, func() *resource.RetryError {
 		response, e := meta.(tccommon.ProviderMeta).GetAPIV3Conn().UseCbsClient().CreateDisks(request)
@@ -336,6 +347,10 @@ func resourceTencentCloudCbsStorageRead(d *schema.ResourceData, meta interface{}
 	_ = d.Set("throughput_performance", storage.ThroughputPerformance)
 	_ = d.Set("burst_performance", storage.BurstPerformance)
 
+	if storage.EncryptType != nil {
+		_ = d.Set("encrypt_type", storage.EncryptType)
+	}
+
 	if storage.KmsKeyId != nil {
 		_ = d.Set("kms_key_id", storage.KmsKeyId)
 	}
diff --git a/tencentcloud/services/cbs/resource_tc_cbs_storage.md b/tencentcloud/services/cbs/resource_tc_cbs_storage.md
index 386e061275..9d9186b73e 100644
--- a/tencentcloud/services/cbs/resource_tc_cbs_storage.md
+++ b/tencentcloud/services/cbs/resource_tc_cbs_storage.md
@@ -58,6 +58,24 @@ resource "tencentcloud_cbs_storage" "example" {
 }
 ```
 
+Create an encrypted CBS storage with encrypt_type
+
+```hcl
+resource "tencentcloud_cbs_storage" "example" {
+  storage_name      = "tf-example"
+  storage_type      = "CLOUD_SSD"
+  storage_size      = 100
+  availability_zone = "ap-guangzhou-3"
+  project_id        = 0
+  encrypt           = true
+  encrypt_type      = "ENCRYPT_V2"
+
+  tags = {
+    createBy = "Terraform"
+  }
+}
+```
+
 Create a dedicated cluster CBS storage
 
 ```hcl
diff --git a/website/docs/r/cbs_storage.html.markdown b/website/docs/r/cbs_storage.html.markdown
index ba9408857e..e172f01056 100644
--- a/website/docs/r/cbs_storage.html.markdown
+++ b/website/docs/r/cbs_storage.html.markdown
@@ -69,6 +69,24 @@ resource "tencentcloud_cbs_storage" "example" {
 }
 ```
 
+### Create an encrypted CBS storage with encrypt_type
+
+```hcl
+resource "tencentcloud_cbs_storage" "example" {
+  storage_name      = "tf-example"
+  storage_type      = "CLOUD_SSD"
+  storage_size      = 100
+  availability_zone = "ap-guangzhou-3"
+  project_id        = 0
+  encrypt           = true
+  encrypt_type      = "ENCRYPT_V2"
+
+  tags = {
+    createBy = "Terraform"
+  }
+}
+```
+
 ### Create a dedicated cluster CBS storage
 
 ```hcl
@@ -100,6 +118,7 @@ The following arguments are supported:
 * `charge_type` - (Optional, String) The charge type of CBS instance. Valid values are `PREPAID`, `POSTPAID_BY_HOUR`, `CDCPAID` and `DEDICATED_CLUSTER_PAID`. The default is `POSTPAID_BY_HOUR`.
 * `dedicated_cluster_id` - (Optional, String, ForceNew) Exclusive cluster id.
 * `disk_backup_quota` - (Optional, Int) The quota of backup points of cloud disk.
+* `encrypt_type` - (Optional, String, ForceNew) Specifies the cloud disk encryption type. The values are `ENCRYPT_V1` and `ENCRYPT_V2`, which represent the first-generation and second-generation encryption technologies respectively. The two encryption technologies are incompatible with each other. It is recommended to use the second-generation encryption technology `ENCRYPT_V2` first. The first-generation encryption technology is only supported on some older models. This parameter is only valid when creating an encrypted cloud disk.
 * `encrypt` - (Optional, Bool, ForceNew) Pass in this parameter to create an encrypted cloud disk.
 * `force_delete` - (Optional, Bool) Indicate whether to delete CBS instance directly or not. Default is false. If set true, the instance will be deleted instead of staying recycle bin.
 * `kms_key_id` - (Optional, String, ForceNew) Optional parameters. When purchasing an encryption disk, customize the key. When this parameter is passed in, the `encrypt` parameter need be set.