Enabling and disabling encryption for a cluster

With SolidFire clusters, you can encrypt all data stored on the cluster. You can enable and disable cluster-wide encryption at rest. This feature is not enabled by default.

Before you begin

About this task

All drives in storage nodes capable of encryption leverage AES 256-bit encryption at the drive level. Each drive has its own encryption key, which is created when the drive is first initialized. When you enable the encryption feature, a cluster-wide password is created, and chunks of the password are then distributed to all nodes in the cluster. No single node stores the entire password. The password is then used to password-protect all access to the drives. The password is needed to unlock the drive and then not needed unless power is removed from the drive or the drive is locked.

Enabling the encryption at rest feature does not affect performance or efficiency on the cluster. Additionally, if an encryption-enabled drive or node is removed from the cluster with the Element API or Element UI, encryption at rest will be disabled on the drives. After the drive is removed, the drive can be secure erased by using the SecureEraseDrives API method. If a drive or node is forcibly removed from the cluster, the data remains protected by the cluster-wide password and the drive’s individual encryption keys.

Note: This feature is unavailable in SolidFire Enterprise SDS clusters.

Another type of encryption at rest, Software Encryption at Rest available in SolidFire Enterprise SDS nodes, enables all data written to the SSDs in a storage cluster to be encrypted. This provides a primary layer of encryption in SolidFire Enterprise SDS nodes that do not include Self-Encrypting Drives (SEDs).

SolidFire Enterprise SDS overview

You can enable encryption at rest using the Element UI or API.

To enable Software Encryption at Rest using the API, use the Element EnableEncryptionAtRest API command.

EnableEncryptionAtRest API method


  1. Click Cluster > Settings.
  2. Click Enable Encryption at Rest.
  3. Optional: To disable encryption at rest, click Disable Encryption at Rest.