Enable and disable encryption at rest for a cluster

Contributors netapp-dbagwell

With SolidFire clusters, you can encrypt all at-rest data stored on cluster drives. You can enable cluster-wide protection of self-encrypting drives (SED) using either hardware or software-based encryption at rest.

You can enable hardware encryption at rest using the Element UI or API. Enabling the hardware encryption at rest feature does not affect performance or efficiency on the cluster. You can enable software encryption at rest using the Element API only.

Hardware-based encryption at rest is not enabled by default during cluster creation and can be enabled and disabled from the Element UI.

Warning For SolidFire all-flash storage clusters, software encryption at rest must be enabled during cluster creation and cannot be disabled after the cluster has been created. For SolidFire Enterprise SDS (eSDS) clusters, software encryption at rest is enabled by default.
What you’ll need
  • You have cluster administrator privileges to enable or change encryption settings.

  • For hardware-based encryption at rest, you have ensured that the cluster is in a healthy state before changing encryption settings.

  • If you are disabling encryption, two nodes must be participating in a cluster to access the key to disable encryption on a drive.

Check encryption at rest status

To see the current status of encryption at rest and/or software encryption at rest on the cluster, use the GetClusterInfo method. You can use the GetSoftwareEncryptionAtRestInfo method to get information the cluster uses to encrypt data at rest.

Note The Element software UI dashboard at https://<MVIP>/ currently only shows encryption at rest status for hardware-based encryption.

Enable hardware-based encryption at rest

Note To enable encryption at rest using an external key management configuration, you must enable encryption at rest via the API. Enabling using the existing Element UI button will revert to using internally generated keys.
  1. From the Element UI, select Cluster > Settings.

  2. Select Enable Encryption at Rest.

Enable software-based encryption at rest

Note Software encryption at rest cannot be disabled after it is enabled on the cluster.
  1. During cluster creation, run the create cluster method with enableSoftwareEncryptionAtRest set to true.

Disable hardware-based encryption at rest

  1. From the Element UI, select Cluster > Settings.

  2. Select Disable Encryption at Rest.

Find more information