Enable Encryption
Before you begin
In NimbleOS version 2.3 or later,
you can enable encryption on volumes. The use of encryption involves using keys to
encrypt volume data. Two important points to remember are the following:
- If you lose the passphrase for the master encryption key, data in the encrypted volumes cannot be retrieved.
- The encryption status of a volume cannot be changed.
Procedure
- Go to Administration > Security > Encryption.
-
Complete the fields as needed for your environment.
Option Description Passphrase When initially enabling encryption, enter a passphrase value of any printable characters with a length between 8 and 64 characters, inclusive, and then confirm your entry. Printable characters are English-language alphanumeric characters, spaces, and special characters. Foreign-language characters are not supported. You can optionally select the option to show the characters as you type so that you can verify entering the same value in both fields. Note: After you save the initial configuration, you can change the passphrase value by clicking the Modify Passphrase button. You must know the current value to modify the value.System Startup Mode Select whether administrators or operators must enter the passphrase for encrypted volumes when the array restarts. - Enabling Available mode does not require passphrase entry every time the group leader array restarts. (However, some rare scenarios may still require passphrase entry.) Available mode is useful in physically secured and lights-out data centers. Available mode is the default system startup mode.
- Enabling Secure mode requires passphrase entry every time the group leader array restarts. Secure mode is useful if you move the array from one location to another or if the array is stolen. Because only authorized personnel know the passphrase, data is inaccessible without knowing the passphrase.
Default Setting Select "Enable encryption on newly created volumes (Cipher: AES-256-XTS)" to enable encryption by default when authorized users create volumes. Deselect this option to create unencrypted volumes by default. Scope Select where and how to apply the encryption Default Setting. - Force the default setting to be applied to all new volumes in the group means that when authorized users create volumes, encryption is enabled or disabled based on whether encryption is enabled or disabled for the Default Setting. Users cannot override the Default Setting when creating volumes.
- Allow overriding the default setting on a per-volume basis means that when authorized users create volumes, the Default Setting is applied, but it can be changed. For example, if you choose to enable encryption by default, then an authorized user can choose not to encrypt a new volume when creating it.
-
When prompted to save your passphrase in a secure place, read
the message and click I accept to
acknowledge that you understand the ramifications of a lost passphrase and to
save the encryption settings.
Do not forget your passphrase. Lost passphrases cannot be retrieved and will result in permanent loss of data.
What to do next
Based on your selections for Default Setting and Scope, volumes that authorized users create after enabling encryption are either automatically encrypted or can be encrypted on a case-by-case basis.
Note: Volumes that were created in
Nimble versions earlier than version 2.3.x are not encrypted and cannot be edited to
be encrypted. The encryption state specified when creating a volume cannot be
changed for the life of that volume.