Enable Encryption

You must have Administrator privileges to change the encryption configuration.
Beginning with version 6.0, you have the option of using a passphrase for local key management or using external key management for your encryption keys. The use of encryption involves using keys to encrypt volume data. Two important points to remember are the following:
  • If you lose the passphrase for the master encryption key or access to the external key manager, data in the encrypted volumes cannot be retrieved.
  • The encryption status of a volume cannot be changed.
To ensure that you are aware of the requirements for encrypting volumes, read the information in Encryption of Data at Rest.
  1. Go to Administration > Security > Encryption.
  2. Complete the fields as needed for your environment.
    Option Description
    Passphrase Here you have the option of entering a passphrase to enable encryption with local key management or setting up an external key manager. When initially enabling encryption, enter a passphrase value of any printable characters with a length between 8 and 64 characters, inclusive, and then confirm your entry. Printable characters are English-language alphanumeric characters, spaces, and special characters. Foreign-language characters are not supported. You can optionally select the option to show the characters as you type so that you can verify entering the same value in both fields.
    NOTE: After you save the initial configuration, you can change the passphrase value by clicking the Modify Passphrase button. You must know the current value to modify the value.
    System Startup Mode Select whether administrators or operators must enter the passphrase for encrypted volumes when the array restarts.
    • Enabling Available mode does not require passphrase entry every time the group leader array restarts. (However, some rare scenarios may still require passphrase entry.) Available mode is useful in physically secured and lights-out data centers. Available mode is the default system startup mode.
    • Enabling Secure mode requires passphrase entry every time the group leader array restarts. Secure mode is useful if you move the array from one location to another or if the array is stolen. Because only authorized personnel know the passphrase, data is inaccessible without knowing the passphrase.
    Default Setting Select "Enable encryption on newly created volumes (Cipher: AES-256-XTS)" to enable encryption by default when authorized users create volumes. Deselect this option to create unencrypted volumes by default.
    Scope Select where and how to apply the encryption Default Setting.
    • Force the default setting to be applied to all new volumes in the group means that when authorized users create volumes, encryption is enabled or disabled based on whether encryption is enabled or disabled for the Default Setting. Users cannot override the Default Setting when creating volumes.
    • Allow overriding the default setting on a per-volume basis means that when authorized users create volumes, the Default Setting is applied, but it can be changed. For example, if you choose to enable encryption by default, then an authorized user can choose not to encrypt a new volume when creating it.
  3. When prompted to save your passphrase in a secure place, read the message and click I accept to acknowledge that you understand the ramifications of a lost passphrase and to save the encryption settings.

    Do not forget your passphrase. Lost passphrases cannot be retrieved and will result in permanent loss of data.

Based on your selections for Default Setting and Scope, volumes that authorized users create after enabling encryption are either automatically encrypted or can be encrypted on a case-by-case basis.

NOTE: Volumes that were created in versions earlier than version 2.3.x are not encrypted and cannot be edited to be encrypted. The encryption state specified when creating a volume cannot be changed for the life of that volume.