Enable and disable encryption at rest for a cluster

Contributors netapp-dbagwell ntap-bmegan Download PDF of this page

With SolidFire clusters, you can encrypt all at-rest data stored on cluster drives. You can enable cluster-wide protection of self-encrypting drives (SED) using either hardware or software-based encryption at rest.

You can enable hardware encryption at rest using the Element UI or API. Enabling the hardware encryption at rest feature does not affect performance or efficiency on the cluster. You can enable software encryption at rest using the Element API only.

Hardware-based encryption at rest is not enabled by default during cluster creation and can be enabled and disabled from the Element UI. Software encryption at rest must be enabled during cluster creation and cannot be disabled once the cluster has been created.

What you’ll need
  • You have cluster administrator privileges to enable or change encryption settings.

  • For hardware-based encryption at rest, you have ensured that the cluster is in a healthy state before changing encryption settings.

  • If you are disabling encryption, two nodes must be participating in a cluster to access the key to disable encryption on a drive.

Enable hardware-based encryption at rest

To enable encryption at rest using an external key management configuration, you must enable encryption at rest via the API. Enabling using the existing Element UI button will revert to using internally generated keys.
  1. From the Element UI, select Cluster > Settings.

  2. Select Enable Encryption at Rest.

Enable software-based encryption at rest

Software encryption at rest cannot be disabled after it is enabled on the cluster.
  1. During cluster creation, run the create cluster method with enableSoftwareEncryptionAtRest set to true.

Disable hardware-based encryption at rest

  1. From the Element UI, select Cluster > Settings.

  2. Select Disable Encryption at Rest.

Find more information