Skip to main content

Optional: Enable node encryption

Contributors netapp-perveilerk netapp-lhalbert netapp-pcarriga netapp-madkat ssantho3

If you enable node encryption, the disks in your appliance can be protected by secure key management server (KMS) encryption against physical loss or removal from the site. You must select and enable node encryption during appliance installation. You can't disable node encryption after the KMS encryption process starts.

If you are using ConfigBuilder to generate a JSON file, you can enable node encryption automatically. See Automate appliance installation and configuration.

Before you begin

Review the information about configuring KMS.

About this task

An appliance that has node encryption enabled connects to the external key management server (KMS) that is configured for the StorageGRID site. Each KMS (or KMS cluster) manages the encryption keys for all appliance nodes at the site. These keys encrypt and decrypt the data on each disk in an appliance that has node encryption enabled.

A KMS can be set up in Grid Manager before or after the appliance is installed in StorageGRID. See the information about KMS and appliance configuration in the instructions for administering StorageGRID for additional details.

  • If a KMS is set up before installing the appliance, KMS-controlled encryption begins when you enable node encryption on the appliance and add it to a StorageGRID site where KMS is configured.

  • If a KMS is not set up before you install the appliance, KMS-controlled encryption is performed on each appliance that has node encryption enabled as soon as a KMS is configured and available for the site that contains the appliance node.

Important When an appliance is installed with node encryption enabled, a temporary key is assigned. The data on the appliance is not protected until the appliance is connected to the Key Management System (KMS) and a KMS security key is set. See the KMS appliance configuration overview for additional information.

Without the KMS key needed to decrypt the disk, data on the appliance can't be retrieved and is effectively lost. This is the case whenever the decryption key can't be retrieved from the KMS. The key becomes inaccessible if a customer clears the KMS configuration, a KMS key expires, connection to the KMS is lost, or the appliance is removed from the StorageGRID system where its KMS keys are installed.

  1. Open a browser, and enter one of the IP addresses for the appliance's compute controller.


    Controller_IP is the IP address of the compute controller (not the storage controller) on any of the three StorageGRID networks.

    The StorageGRID Appliance Installer Home page appears.

    Important After the appliance has been encrypted with a KMS key, the appliance disks can't be decrypted without using the same KMS key.
  2. Select Configure Hardware > Node Encryption.

    KMS FDE enabled
  3. Select Enable node encryption.

    Before appliance installation, you can clear Enable node encryption without risk of data loss. When the installation begins, the appliance node accesses the KMS encryption keys in your StorageGRID system and begins disk encryption. You can't disable node encryption after the appliance is installed.

    Important After you add an appliance that has node encryption enabled to a StorageGRID site that has a KMS, you can't stop using KMS encryption for the node.
  4. Select Save.

  5. Deploy the appliance as a node in your StorageGRID system.

    KMS-controlled encryption begins when the appliance accesses the KMS keys configured for your StorageGRID site. The installer displays progress messages during the KMS encryption process, which might take a few minutes depending on the number of disk volumes in the appliance.

    Note Appliances are initially configured with a random non-KMS encryption key assigned to each disk volume. The disks are encrypted using this temporary encryption key, that is not secure, until the appliance that has node encryption enabled accesses the KMS keys configured for your StorageGRID site.
After you finish

You can view node-encryption status, KMS details, and the certificates in use when the appliance node is in maintenance mode. See Monitor node encryption in maintenance mode for information.